From: Marc Zyngier <maz@kernel.org>
To: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Cc: Jiri Kosina <jikos@kernel.org>,
Benjamin Tissoires <benjamin.tissoires@redhat.com>,
linux-input@vger.kernel.org, linux-kernel@vger.kernel.org,
stable@vger.kernel.org
Subject: Re: [PATCH 1/2] Input; Sanitize event code before modifying bitmaps
Date: Wed, 26 Aug 2020 14:32:38 +0100 [thread overview]
Message-ID: <bcf65dce766d0376027e80bf205b095d@kernel.org> (raw)
In-Reply-To: <20200824195102.GY1665100@dtor-ws>
Hi Dmitry,
On 2020-08-24 20:51, Dmitry Torokhov wrote:
> Hi Marc,
>
> On Mon, Aug 17, 2020 at 12:26:59PM +0100, Marc Zyngier wrote:
>> When calling into input_set_capability(), the passed event code is
>> blindly used to set a bit in a number of bitmaps, without checking
>> whether this actually fits the expected size of the bitmap.
>>
>> This event code can come from a variety of sources, including devices
>> masquerading as input devices, only a bit more "programmable".
>>
>> Instead of taking the raw event code, sanitize it to the actual bitmap
>> size and output a warning to let the user know.
>>
>> These checks are, at least in spirit, in keeping with cb222aed03d7
>> ("Input: add safety guards to input_set_keycode()").
>>
>> Cc: stable@vger.kernel.org
>> Signed-off-by: Marc Zyngier <maz@kernel.org>
>> ---
>> drivers/input/input.c | 16 +++++++++++++++-
>> 1 file changed, 15 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/input/input.c b/drivers/input/input.c
>> index 3cfd2c18eebd..1e77cf47aa44 100644
>> --- a/drivers/input/input.c
>> +++ b/drivers/input/input.c
>> @@ -1974,14 +1974,18 @@ EXPORT_SYMBOL(input_get_timestamp);
>> * In addition to setting up corresponding bit in appropriate
>> capability
>> * bitmap the function also adjusts dev->evbit.
>> */
>> -void input_set_capability(struct input_dev *dev, unsigned int type,
>> unsigned int code)
>> +void input_set_capability(struct input_dev *dev, unsigned int type,
>> unsigned int raw_code)
>> {
>> + unsigned int code = raw_code;
>> +
>> switch (type) {
>> case EV_KEY:
>> + code &= KEY_MAX;
>> __set_bit(code, dev->keybit);
>
>
> I would much rather prefer we did not simply set some random bits in
> this case, but instead complained loudly and refused to alter anything.
>
> The function is not exported directly to userspace, so we expect
> callers
> to give us sane inputs, and I believe WARN() splash in case of bad
> inputs would be the best solution here.
Fair enough. I've moved the checking to the HID layer (using
hid_map_usage() as the validation primitive), which makes
changing input_set_capability() irrelevant.
I'll post v2 shortly in the form of a single patch.
Thanks,
M.
--
Jazz is not dead. It just smells funny...
next prev parent reply other threads:[~2020-08-26 13:32 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-17 11:26 [PATCH 0/2] input/hid: Fix bitmap boundary validation Marc Zyngier
2020-08-17 11:26 ` [PATCH 1/2] Input; Sanitize event code before modifying bitmaps Marc Zyngier
2020-08-24 19:51 ` Dmitry Torokhov
2020-08-26 13:32 ` Marc Zyngier [this message]
2020-08-17 11:27 ` [PATCH 2/2] HID: core; Sanitize event code and type before mapping input Marc Zyngier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bcf65dce766d0376027e80bf205b095d@kernel.org \
--to=maz@kernel.org \
--cc=benjamin.tissoires@redhat.com \
--cc=dmitry.torokhov@gmail.com \
--cc=jikos@kernel.org \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).