Commit 05be8b81 authored by Dan Carpenter's avatar Dan Carpenter Committed by Dmitry Torokhov

Input: force feedback - potential integer wrap in input_ff_create()

The problem here is that max_effects can wrap on 32 bits systems.
We'd allocate a smaller amount of data than sizeof(struct ff_device).
The call to kcalloc() on the next line would fail but it would write
the NULL return outside of the memory we just allocated causing data
corruption.

The call path is that uinput_setup_device() get ->ff_effects_max from
the user and sets the value in the ->private_data struct.  From there
it is:
-> uinput_ioctl_handler()
   -> uinput_create_device()
      -> input_ff_create(dev, udev->ff_effects_max);

I've also changed ff_effects_max so it's an unsigned int instead of
a signed int as a cleanup.
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarDmitry Torokhov <dtor@mail.ru>
parent 341deefe
...@@ -309,9 +309,10 @@ EXPORT_SYMBOL_GPL(input_ff_event); ...@@ -309,9 +309,10 @@ EXPORT_SYMBOL_GPL(input_ff_event);
* Once ff device is created you need to setup its upload, erase, * Once ff device is created you need to setup its upload, erase,
* playback and other handlers before registering input device * playback and other handlers before registering input device
*/ */
int input_ff_create(struct input_dev *dev, int max_effects) int input_ff_create(struct input_dev *dev, unsigned int max_effects)
{ {
struct ff_device *ff; struct ff_device *ff;
size_t ff_dev_size;
int i; int i;
if (!max_effects) { if (!max_effects) {
...@@ -319,8 +320,12 @@ int input_ff_create(struct input_dev *dev, int max_effects) ...@@ -319,8 +320,12 @@ int input_ff_create(struct input_dev *dev, int max_effects)
return -EINVAL; return -EINVAL;
} }
ff = kzalloc(sizeof(struct ff_device) + ff_dev_size = sizeof(struct ff_device) +
max_effects * sizeof(struct file *), GFP_KERNEL); max_effects * sizeof(struct file *);
if (ff_dev_size < max_effects) /* overflow */
return -EINVAL;
ff = kzalloc(ff_dev_size, GFP_KERNEL);
if (!ff) if (!ff)
return -ENOMEM; return -ENOMEM;
......
...@@ -1610,7 +1610,7 @@ struct ff_device { ...@@ -1610,7 +1610,7 @@ struct ff_device {
struct file *effect_owners[]; struct file *effect_owners[];
}; };
int input_ff_create(struct input_dev *dev, int max_effects); int input_ff_create(struct input_dev *dev, unsigned int max_effects);
void input_ff_destroy(struct input_dev *dev); void input_ff_destroy(struct input_dev *dev);
int input_ff_event(struct input_dev *dev, unsigned int type, unsigned int code, int value); int input_ff_event(struct input_dev *dev, unsigned int type, unsigned int code, int value);
......
...@@ -68,7 +68,7 @@ struct uinput_device { ...@@ -68,7 +68,7 @@ struct uinput_device {
unsigned char head; unsigned char head;
unsigned char tail; unsigned char tail;
struct input_event buff[UINPUT_BUFFER_SIZE]; struct input_event buff[UINPUT_BUFFER_SIZE];
int ff_effects_max; unsigned int ff_effects_max;
struct uinput_request *requests[UINPUT_NUM_REQUESTS]; struct uinput_request *requests[UINPUT_NUM_REQUESTS];
wait_queue_head_t requests_waitq; wait_queue_head_t requests_waitq;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment