From: Dan Carpenter <dan.carpenter@oracle.com>
To: Denis Efremov <denis.e.efremov@oracle.com>
Cc: Alexander Larkin <avlarkin82@gmail.com>,
dmitry.torokhov@gmail.com, linux-input@vger.kernel.org,
linux-kernel@vger.kernel.org, security@kernel.org,
Murray McAllister <murray.mcallister@gmail.com>
Subject: Re: [PATCH] Input: joydev - prevent potential write out of bounds in ioctl
Date: Mon, 5 Jul 2021 13:54:14 +0300 [thread overview]
Message-ID: <20210705105414.GG26672@kadam> (raw)
In-Reply-To: <87e7ac83-4188-662b-d5ea-60957cc754e0@oracle.com>
On Sat, Jul 03, 2021 at 07:21:58PM +0300, Denis Efremov wrote:
> Hi,
>
> On 6/20/21 3:00 PM, Alexander Larkin wrote:
> > The problem is that the check of user input values that is just
> > before the fixed line of code is for the part of first values
> > (before len or before len/2), but then the usage of all the values
> > including i >= len (or i >= len/2) could be.
> > Since the resulted array of values inited by default with some
> > good values, the fix is to ignore out of bounds values and
> > just to use only correct input values by user.
> > Originally detected by Murray with this simple poc
> > (If you run the following as an unprivileged user on a default install
> > it will instantly panic the system:
> >
> > int main(void) {
> > int fd, ret;
> > unsigned int buffer[10000];
> >
> > fd = open("/dev/input/js0", O_RDONLY);
> > if (fd == -1)
> > printf("Error opening file\n");
> >
> > ret = ioctl(fd, JSIOCSBTNMAP & ~IOCSIZE_MASK, &buffer);
> > printf("%d\n", ret);
> > }
> >
> > Fixes: 182d679b2298 ("Input: joydev - prevent potential read overflow in ioctl")
>
>
> I'm not sure that this is a proper fixes tag. Seems like the bug is in the
> code since the first commit (1da177e4c3f4). Maybe it's possible to add 2 fixes
> tags just to notify developers that this bug is older than a 182d679b2298
> partial fix.
Normally just setting the fixes tag to my patch would be the correct
thing to do. But in this case, I didn't get a CVE for my patch so
scripts which determine if a patch is required automatically might get
confused? It's not unusual to use two fixes tags so it might be a good
idea in this case just to avoid any confusion.
regards,
dan carpenter
prev parent reply other threads:[~2021-07-05 10:54 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-20 12:00 [PATCH] Input: joydev - prevent potential write out of bounds in ioctl Alexander Larkin
2021-06-20 16:37 ` Linus Torvalds
2021-06-21 5:25 ` Dmitry Torokhov
2021-06-21 15:45 ` Linus Torvalds
2021-06-21 20:06 ` Alexander Larkin
2021-06-21 21:30 ` Alexander Larkin
2021-06-21 21:32 ` Alexander Larkin
2021-06-21 22:38 ` Dmitry Torokhov
2021-07-03 16:21 ` Denis Efremov
2021-07-05 10:54 ` Dan Carpenter [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210705105414.GG26672@kadam \
--to=dan.carpenter@oracle.com \
--cc=avlarkin82@gmail.com \
--cc=denis.e.efremov@oracle.com \
--cc=dmitry.torokhov@gmail.com \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=murray.mcallister@gmail.com \
--cc=security@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.