queue-5.15/input-add-bounds-checking-to-input_set_capability.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From bf3bda7329fe14b216e6ee736974208d3bd6480f Mon Sep 17 00:00:00 2001
 From: Sasha Levin <sashal@kernel.org>
 Date: Sun, 20 Mar 2022 21:55:27 -0700
 Subject: Input: add bounds checking to input_set_capability()
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit

 From: Jeff LaBundy <jeff@labundy.com>

 [ Upstream commit 409353cbe9fe48f6bc196114c442b1cff05a39bc ]

 Update input_set_capability() to prevent kernel panic in case the
 event code exceeds the bitmap for the given event type.

 Suggested-by: Tomasz Moń <tomasz.mon@camlingroup.com>
 Signed-off-by: Jeff LaBundy <jeff@labundy.com>
 Reviewed-by: Tomasz Moń <tomasz.mon@camlingroup.com>
 Link: https://lore.kernel.org/r/20220320032537.545250-1-jeff@labundy.com
 Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
 Signed-off-by: Sasha Levin <sashal@kernel.org>
 ---
  drivers/input/input.c | 19 +++++++++++++++++++
  1 file changed, 19 insertions(+)

 diff --git a/drivers/input/input.c b/drivers/input/input.c
 index ccaeb2426385..ba246fabc6c1 100644
 --- a/drivers/input/input.c
 +++ b/drivers/input/input.c
 @@ -47,6 +47,17 @@ static DEFINE_MUTEX(input_mutex);

  static const struct input_value input_value_sync = { EV_SYN, SYN_REPORT, 1 };

 +static const unsigned int input_max_code[EV_CNT] = {
 +	[EV_KEY] = KEY_MAX,
 +	[EV_REL] = REL_MAX,
 +	[EV_ABS] = ABS_MAX,
 +	[EV_MSC] = MSC_MAX,
 +	[EV_SW] = SW_MAX,
 +	[EV_LED] = LED_MAX,
 +	[EV_SND] = SND_MAX,
 +	[EV_FF] = FF_MAX,
 +};
 +
  static inline int is_event_supported(unsigned int code,
  				     unsigned long *bm, unsigned int max)
  {
 @@ -2074,6 +2085,14 @@ EXPORT_SYMBOL(input_get_timestamp);
   */
  void input_set_capability(struct input_dev *dev, unsigned int type, unsigned int code)
  {
 +	if (type < EV_CNT && input_max_code[type] &&
 +	    code > input_max_code[type]) {
 +		pr_err("%s: invalid code %u for type %u\n", __func__, code,
 +		       type);
 +		dump_stack();
 +		return;
 +	}
 +
  	switch (type) {
  	case EV_KEY:
  		__set_bit(code, dev->keybit);
 --
 2.35.1
	From bf3bda7329fe14b216e6ee736974208d3bd6480f Mon Sep 17 00:00:00 2001
	From: Sasha Levin <sashal@kernel.org>
	Date: Sun, 20 Mar 2022 21:55:27 -0700
	Subject: Input: add bounds checking to input_set_capability()
	MIME-Version: 1.0
	Content-Type: text/plain; charset=UTF-8
	Content-Transfer-Encoding: 8bit

	From: Jeff LaBundy <jeff@labundy.com>

	[ Upstream commit 409353cbe9fe48f6bc196114c442b1cff05a39bc ]

	Update input_set_capability() to prevent kernel panic in case the
	event code exceeds the bitmap for the given event type.

	Suggested-by: Tomasz Moń <tomasz.mon@camlingroup.com>
	Signed-off-by: Jeff LaBundy <jeff@labundy.com>
	Reviewed-by: Tomasz Moń <tomasz.mon@camlingroup.com>
	Link: https://lore.kernel.org/r/20220320032537.545250-1-jeff@labundy.com
	Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
	Signed-off-by: Sasha Levin <sashal@kernel.org>
	---
	drivers/input/input.c \| 19 +++++++++++++++++++
	1 file changed, 19 insertions(+)

	diff --git a/drivers/input/input.c b/drivers/input/input.c
	index ccaeb2426385..ba246fabc6c1 100644
	--- a/drivers/input/input.c
	+++ b/drivers/input/input.c
	@@ -47,6 +47,17 @@ static DEFINE_MUTEX(input_mutex);

	static const struct input_value input_value_sync = { EV_SYN, SYN_REPORT, 1 };

	+static const unsigned int input_max_code[EV_CNT] = {
	+ [EV_KEY] = KEY_MAX,
	+ [EV_REL] = REL_MAX,
	+ [EV_ABS] = ABS_MAX,
	+ [EV_MSC] = MSC_MAX,
	+ [EV_SW] = SW_MAX,
	+ [EV_LED] = LED_MAX,
	+ [EV_SND] = SND_MAX,
	+ [EV_FF] = FF_MAX,
	+};
	+
	static inline int is_event_supported(unsigned int code,
	unsigned long *bm, unsigned int max)
	{
	@@ -2074,6 +2085,14 @@ EXPORT_SYMBOL(input_get_timestamp);
	*/
	void input_set_capability(struct input_dev *dev, unsigned int type, unsigned int code)
	{
	+ if (type < EV_CNT && input_max_code[type] &&
	+ code > input_max_code[type]) {
	+ pr_err("%s: invalid code %u for type %u\n", __func__, code,
	+ type);
	+ dump_stack();
	+ return;
	+ }
	+
	switch (type) {
	case EV_KEY:
	__set_bit(code, dev->keybit);
	--
	2.35.1