| From 6bd6ae639683c0b41f46990d5c64ff9fbfa019dc Mon Sep 17 00:00:00 2001 |
| From: Dmitry Torokhov <dmitry.torokhov@gmail.com> |
| Date: Fri, 6 Apr 2018 10:23:05 -0700 |
| Subject: Input: leds - fix out of bound access |
| |
| From: Dmitry Torokhov <dmitry.torokhov@gmail.com> |
| |
| commit 6bd6ae639683c0b41f46990d5c64ff9fbfa019dc upstream. |
| |
| UI_SET_LEDBIT ioctl() causes the following KASAN splat when used with |
| led > LED_CHARGING: |
| |
| [ 1274.663418] BUG: KASAN: slab-out-of-bounds in input_leds_connect+0x611/0x730 [input_leds] |
| [ 1274.663426] Write of size 8 at addr ffff88003377b2c0 by task ckb-next-daemon/5128 |
| |
| This happens because we were writing to the led structure before making |
| sure that it exists. |
| |
| Reported-by: Tasos Sahanidis <tasos@tasossah.com> |
| Tested-by: Tasos Sahanidis <tasos@tasossah.com> |
| Cc: stable@vger.kernel.org |
| Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/input/input-leds.c | 8 ++++---- |
| 1 file changed, 4 insertions(+), 4 deletions(-) |
| |
| --- a/drivers/input/input-leds.c |
| +++ b/drivers/input/input-leds.c |
| @@ -88,6 +88,7 @@ static int input_leds_connect(struct inp |
| const struct input_device_id *id) |
| { |
| struct input_leds *leds; |
| + struct input_led *led; |
| unsigned int num_leds; |
| unsigned int led_code; |
| int led_no; |
| @@ -119,14 +120,13 @@ static int input_leds_connect(struct inp |
| |
| led_no = 0; |
| for_each_set_bit(led_code, dev->ledbit, LED_CNT) { |
| - struct input_led *led = &leds->leds[led_no]; |
| + if (!input_led_info[led_code].name) |
| + continue; |
| |
| + led = &leds->leds[led_no]; |
| led->handle = &leds->handle; |
| led->code = led_code; |
| |
| - if (!input_led_info[led_code].name) |
| - continue; |
| - |
| led->cdev.name = kasprintf(GFP_KERNEL, "%s::%s", |
| dev_name(&dev->dev), |
| input_led_info[led_code].name); |