From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Kyungtae Kim <kt0755@gmail.com>,
Dmitry Torokhov <dmitry.torokhov@gmail.com>
Subject: [PATCH 4.14 35/46] vt: keyboard: avoid signed integer overflow in k_ascii
Date: Tue, 9 Jun 2020 19:44:51 +0200 [thread overview]
Message-ID: <20200609174029.735837494@linuxfoundation.org> (raw)
In-Reply-To: <20200609174022.938987501@linuxfoundation.org>
From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
commit b86dab054059b970111b5516ae548efaae5b3aae upstream.
When k_ascii is invoked several times in a row there is a potential for
signed integer overflow:
UBSAN: Undefined behaviour in drivers/tty/vt/keyboard.c:888:19 signed integer overflow:
10 * 1111111111 cannot be represented in type 'int'
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.11 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xce/0x128 lib/dump_stack.c:118
ubsan_epilogue+0xe/0x30 lib/ubsan.c:154
handle_overflow+0xdc/0xf0 lib/ubsan.c:184
__ubsan_handle_mul_overflow+0x2a/0x40 lib/ubsan.c:205
k_ascii+0xbf/0xd0 drivers/tty/vt/keyboard.c:888
kbd_keycode drivers/tty/vt/keyboard.c:1477 [inline]
kbd_event+0x888/0x3be0 drivers/tty/vt/keyboard.c:1495
While it can be worked around by using check_mul_overflow()/
check_add_overflow(), it is better to introduce a separate flag to
signal that number pad is being used to compose a symbol, and
change type of the accumulator from signed to unsigned, thus
avoiding undefined behavior when it overflows.
Reported-by: Kyungtae Kim <kt0755@gmail.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200525232740.GA262061@dtor-ws
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/vt/keyboard.c | 26 ++++++++++++++++----------
1 file changed, 16 insertions(+), 10 deletions(-)
--- a/drivers/tty/vt/keyboard.c
+++ b/drivers/tty/vt/keyboard.c
@@ -126,7 +126,11 @@ static DEFINE_SPINLOCK(func_buf_lock); /
static unsigned long key_down[BITS_TO_LONGS(KEY_CNT)]; /* keyboard key bitmap */
static unsigned char shift_down[NR_SHIFT]; /* shift state counters.. */
static bool dead_key_next;
-static int npadch = -1; /* -1 or number assembled on pad */
+
+/* Handles a number being assembled on the number pad */
+static bool npadch_active;
+static unsigned int npadch_value;
+
static unsigned int diacr;
static char rep; /* flag telling character repeat */
@@ -816,12 +820,12 @@ static void k_shift(struct vc_data *vc,
shift_state &= ~(1 << value);
/* kludge */
- if (up_flag && shift_state != old_state && npadch != -1) {
+ if (up_flag && shift_state != old_state && npadch_active) {
if (kbd->kbdmode == VC_UNICODE)
- to_utf8(vc, npadch);
+ to_utf8(vc, npadch_value);
else
- put_queue(vc, npadch & 0xff);
- npadch = -1;
+ put_queue(vc, npadch_value & 0xff);
+ npadch_active = false;
}
}
@@ -839,7 +843,7 @@ static void k_meta(struct vc_data *vc, u
static void k_ascii(struct vc_data *vc, unsigned char value, char up_flag)
{
- int base;
+ unsigned int base;
if (up_flag)
return;
@@ -853,10 +857,12 @@ static void k_ascii(struct vc_data *vc,
base = 16;
}
- if (npadch == -1)
- npadch = value;
- else
- npadch = npadch * base + value;
+ if (!npadch_active) {
+ npadch_value = 0;
+ npadch_active = true;
+ }
+
+ npadch_value = npadch_value * base + value;
}
static void k_lock(struct vc_data *vc, unsigned char value, char up_flag)
next prev parent reply other threads:[~2020-06-09 18:18 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-09 17:44 [PATCH 4.14 00/46] 4.14.184-rc1 review Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 01/46] scsi: scsi_devinfo: fixup string compare Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 02/46] libnvdimm: Fix endian conversion issues Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 03/46] scsi: hisi_sas: Check sas_port before using it Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 04/46] spi: dw: use "smp_mb()" to avoid sending spi data error Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 05/46] s390/ftrace: save traced function caller Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 06/46] pppoe: only process PADT targeted at local interfaces Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 07/46] ARC: Fix ICCM & DCCM runtime size checks Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 08/46] ARC: [plat-eznps]: Restrict to CONFIG_ISA_ARCOMPACT Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 09/46] i2c: altera: Fix race between xfer_msg and isr thread Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 10/46] x86/mmiotrace: Use cpumask_available() for cpumask_var_t variables Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 11/46] net: bmac: Fix read of MAC address from ROM Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 12/46] net/ethernet/freescale: rework quiesce/activate for ucc_geth Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 13/46] net: ethernet: stmmac: Enable interface clocks on probe for IPQ806x Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 14/46] net: smsc911x: Fix runtime PM imbalance on error Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 15/46] mm: Fix mremap not considering huge pmd devmap Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 16/46] HID: sony: Fix for broken buttons on DS3 USB dongles Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 17/46] HID: i2c-hid: add Schneider SCL142ALM to descriptor override Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 18/46] p54usb: add AirVasT USB stick device-id Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 19/46] kernel/relay.c: handle alloc_percpu returning NULL in relay_open Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 20/46] mmc: fix compilation of user API Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 21/46] scsi: ufs: Release clock if DMA map fails Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 22/46] airo: Fix read overflows sending packets Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 23/46] devinet: fix memleak in inetdev_init() Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 24/46] l2tp: do not use inet_hash()/inet_unhash() Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 25/46] net: usb: qmi_wwan: add Telit LE910C1-EUX composition Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 26/46] NFC: st21nfca: add missed kfree_skb() in an error path Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 27/46] vsock: fix timeout in vsock_accept() Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 28/46] net: check untrusted gso_size at kernel entry Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 29/46] l2tp: add sk_family checks to l2tp_validate_socket Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 30/46] USB: serial: qcserial: add DW5816e QDL support Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 31/46] USB: serial: usb_wwan: do not resubmit rx urb on fatal errors Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 32/46] USB: serial: option: add Telit LE910C1-EUX compositions Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 33/46] usb: musb: start session in resume for host port Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 34/46] usb: musb: Fix runtime PM imbalance on error Greg Kroah-Hartman
2020-06-09 17:44 ` Greg Kroah-Hartman [this message]
2020-06-09 17:44 ` [PATCH 4.14 36/46] tty: hvc_console, fix crashes on parallel open/close Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 37/46] staging: rtl8712: Fix IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 38/46] CDC-ACM: heed quirk also in error handling Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 39/46] nvmem: qfprom: remove incorrect write support Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 40/46] x86/cpu: Add a steppings field to struct x86_cpu_id Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 41/46] x86/cpu: Add table argument to cpu_matches() Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 42/46] x86/speculation: Add Special Register Buffer Data Sampling (SRBDS) mitigation Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 43/46] x86/speculation: Add SRBDS vulnerability and mitigation documentation Greg Kroah-Hartman
2020-06-09 17:45 ` [PATCH 4.14 44/46] x86/speculation: Add Ivy Bridge to affected list Greg Kroah-Hartman
2020-06-09 17:45 ` [PATCH 4.14 45/46] iio: vcnl4000: Fix i2c swapped word reading Greg Kroah-Hartman
2020-06-09 17:45 ` [PATCH 4.14 46/46] uprobes: ensure that uprobe->offset and ->ref_ctr_offset are properly aligned Greg Kroah-Hartman
2020-06-09 19:04 ` [PATCH 4.14 00/46] 4.14.184-rc1 review Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200609174029.735837494@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dmitry.torokhov@gmail.com \
--cc=kt0755@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.