Input: uinput - sanity check on ff_effects_max and EV_FF

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Currently the user can set ff_effects_max to zero with the EV_FF bit (and
the FF_GAIN and/or FF_AUTOCENTER bits) set, in this case the uninitialized
methods ff->set_gain and/or ff->set_autocenter can be dereferenced,
resulting in a kernel oops.

Check in uinput_create_device() and print a helpful message and return
-EINVAL in case the check fails.

Signed-off-by: Elias Vanderstuyft <elias.vds@gmail.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>

authored by

Elias Vanderstuyft and committed by

Dmitry Torokhov 10 years ago daf6cd0c fbae10db

1 changed file

expand all

drivers

input

misc

uinput.c

drivers/input/misc/uinput.c

··· 272 272 input_set_events_per_packet(dev, 60); 273 273 } 274 274 275 + if (test_bit(EV_FF, dev->evbit) && !udev->ff_effects_max) { 276 + printk(KERN_DEBUG "%s: ff_effects_max should be non-zero when FF_BIT is set\n", 277 + UINPUT_NAME); 278 + error = -EINVAL; 279 + goto fail1; 280 + } 281 + 275 282 if (udev->ff_effects_max) { 276 283 error = input_ff_create(dev, udev->ff_effects_max); 277 284 if (error)