Google Git
Sign in
chromium / chromiumos / third_party / kernel / refs/heads/stabilize-13020.87.B-chromeos-3.8
commitbf23950869c0340a2d3fd4b469a345951162db7d[log] [tgz]
authorDmitry Torokhov <dmitry.torokhov@gmail.com>Fri Dec 13 22:56:16 2019
committerCommit Bot <commit-bot@chromium.org>Tue Apr 14 13:25:52 2020
treeb6a62abd54ec62764faca6c16e076c037d1b91ab
parentad7d2556d7a2728d855fe794fe943f55acf253fa [diff]
UPSTREAM: Input: add safety guards to input_set_keycode()

If we happen to have a garbage in input device's keycode table with values
too big we'll end up doing clear_bit() with offset way outside of our
bitmaps, damaging other objects within an input device or even outside of
it. Let's add sanity checks to the returned old keycodes.

Reported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com
Reported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com
Link: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
(cherry picked from commit cb222aed03d798fc074be55e59d9a112338ee784)

BUG=chromium:1069757
TEST=Crafted keycode table

Change-Id: I6ed9ecbec5a11c8c3160532f7bbfc99afd6121bc
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/2145623
Reviewed-by: Sean Paul <seanpaul@chromium.org>
1 file changed
tree: b6a62abd54ec62764faca6c16e076c037d1b91ab
  1. arch/
  2. block/
  3. chromeos/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. firmware/
  8. fs/
  9. include/
  10. init/
  11. ipc/
  12. kernel/
  13. lib/
  14. mm/
  15. net/
  16. samples/
  17. scripts/
  18. security/
  19. sound/
  20. tools/
  21. usr/
  22. virt/
  23. .gitignore
  24. .mailmap
  25. .scmversion
  26. COPYING
  27. CREDITS
  28. Kbuild
  29. Kconfig
  30. MAINTAINERS
  31. Makefile
  32. PRESUBMIT.cfg
  33. README
  34. REPORTING-BUGS