From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Jan Kratochvil" Subject: Re: [PATCH] playing ff effect with code greater then FF_EFFECTS can cause buffer overflow Date: Wed, 2 May 2007 17:31:00 +0200 Message-ID: <35f02cc20705020831s36a1741awd699fc382c1cd309@mail.gmail.com> References: <200705012253.47925.dtor@insightbb.com> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_3969_7597763.1178119860075" Return-path: In-Reply-To: <200705012253.47925.dtor@insightbb.com> Sender: owner-linux-input@atrey.karlin.mff.cuni.cz List-Help: List-Owner: List-Post: List-Unsubscribe: To: Dmitry Torokhov Cc: Jan Kratochvil , Jiri Kosina , Anssi Hannula , linux-input@atrey.karlin.mff.cuni.cz List-Id: linux-input@vger.kernel.org ------=_Part_3969_7597763.1178119860075 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Hi Dmitry, On 5/2/07, Dmitry Torokhov wrote: > > Hi Jan, > > On Tuesday 01 May 2007 19:15, Jan Kratochvil wrote: > > From: Jan Kratochvil > > To: Dmitry Torokhov > > Cc: Jiri Kosina , Anssi Hannula < > anssi.hannula@gmail.com>, > > linux-input@atrey.karlin.mff.cuni.cz, linux-kernel@vger.kernel.org > > Subject: [PATCH] playing ff effect with code greater then FF_EFFECTS can > cause buffer overflow > > > > Hi, > > i found a bug in ff-memless.c so i fixed it. As you can see I am > > doing check if effect_id is less then 0, but I am aware that it is > useless > > because effect_id is actually input_event.code which is __u16, but on > the > > other side as long as the effect_id is int I feel it is correct to check > > whether it is > 0. > > > > Well spotted, thanks. However I think that the check should be moved up > the stack, into force feedback core. What do you think about the patch > below? Ok by me. Jan Kratochvil -- > Dmitry > > > Input: force feedback - make sure effect is present before playing > > Make sure that requested effect id is not out of range for the > device and that effect is present before requesting device to > play it. > > Reported-by: Jan Kratochvil > Signed-off-by: Dmitry Torokhov > --- > > drivers/input/ff-core.c | 3 ++- > 1 files changed, 2 insertions(+), 1 deletion(-) > > Index: work/drivers/input/ff-core.c > =================================================================== > --- work.orig/drivers/input/ff-core.c > +++ work/drivers/input/ff-core.c > @@ -281,7 +281,8 @@ int input_ff_event(struct input_dev *dev > break; > > default: > - ff->playback(dev, code, value); > + if (check_effect_access(ff, code, NULL) == 0) > + ff->playback(dev, code, value); > break; > } > > > ------=_Part_3969_7597763.1178119860075 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Hi Dmitry,

On 5/2/07, Dmitry Torokhov <dtor@insightbb.com> wrote:
Hi Jan,

On Tuesday 01 May 2007 19:15, Jan Kratochvil wrote:
> From: Jan Kratochvil <honza@jikos.cz>
> To: Dmitry Torokhov < dmitry.torokhov@gmail.com>
> Cc: Jiri Kosina <jkosina@suse.cz>, Anssi Hannula <anssi.hannula@gmail.com>,
>     linux-input@atrey.karlin.mff.cuni.cz, linux-kernel@vger.kernel.org
> Subject: [PATCH] playing ff effect with code greater then FF_EFFECTS can cause buffer overflow
>
> Hi,
>   i found a bug in ff-memless.c so i fixed it. As you can see I am
> doing check if effect_id is less then 0, but I am aware that it is useless
> because effect_id is actually input_event.code which is __u16, but on the
> other side as long as the effect_id is int I feel it is correct to check
> whether it is > 0.
>

Well spotted, thanks. However I think that the check should be moved up
the stack, into force feedback core. What do you think about the patch
below?

Ok by me.

Jan Kratochvil

--
Dmitry


Input: force feedback - make sure effect is present before playing

Make sure that requested effect id is not out of range for the
device and that effect is present before requesting device to
play it.

Reported-by: Jan Kratochvil <honza@jikos.cz>
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
---

drivers/input/ff-core.c |    3 ++-
1 files changed, 2 insertions(+), 1 deletion(-)

Index: work/drivers/input/ff-core.c
===================================================================
--- work.orig/drivers/input/ff-core.c
+++ work/drivers/input/ff-core.c
@@ -281,7 +281,8 @@ int input_ff_event(struct input_dev *dev
                break;

        default:
-               ff->playback(dev, code, value);
+               if (check_effect_access(ff, code, NULL) == 0)
+                       ff->playback(dev, code, value);
                break;
        }



------=_Part_3969_7597763.1178119860075--