Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / e0154ded9330c188863b09824c3b07ebafa6e5a4
commite0154ded9330c188863b09824c3b07ebafa6e5a4[log] [tgz]
authorDan Carpenter <dan.carpenter@oracle.com>Wed Feb 17 12:21:10 2021 -0800
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>Wed Mar 03 17:44:41 2021 +0100
treeea640b600d08841fad7e3d5e64c4928fe6380b68
parentbdc2cea4998ad47a606a03a38dfdd8c6f73d08c8 [diff]
Input: joydev - prevent potential read overflow in ioctl

commit 182d679b2298d62bf42bb14b12a8067b8e17b617 upstream.

The problem here is that "len" might be less than "joydev->nabs" so the
loops which verfy abspam[i] and keypam[] might read beyond the buffer.

Fixes: 999b874f4aa3 ("Input: joydev - validate axis/button maps before clobbering current ones")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/YCyzR8WvFRw4HWw6@mwanda
[dtor: additional check for len being even in joydev_handle_JSIOCSBTNMAP]
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
1 file changed
tree: ea640b600d08841fad7e3d5e64c4928fe6380b68
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. firmware/
  8. fs/
  9. include/
  10. init/
  11. ipc/
  12. kernel/
  13. lib/
  14. mm/
  15. net/
  16. samples/
  17. scripts/
  18. security/
  19. sound/
  20. tools/
  21. usr/
  22. virt/
  23. .cocciconfig
  24. .get_maintainer.ignore
  25. .gitattributes
  26. .gitignore
  27. .mailmap
  28. COPYING
  29. CREDITS
  30. Kbuild
  31. Kconfig
  32. MAINTAINERS
  33. Makefile
  34. README
  35. REPORTING-BUGS