From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-dy1-f176.google.com (mail-dy1-f176.google.com [74.125.82.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 22E921F5EA for ; Sat, 21 Feb 2026 02:33:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.176 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771641242; cv=none; b=TAdr+3VTcfiSpzasQmLTuuYZNSgdvANYjtRZCF37ncQf1QDRpymbWGYzoxP8VoISl35fUjsuw3VnqQE5t+6HDv46o+bpJZR7JOOIK0K9SabMYd+K+zpPR/24GQ97c2vuGS1aaxnxDiETELt3WMv9R2Ave8+obf9pvHUFMoQA9ZU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771641242; c=relaxed/simple; bh=veDyQbam6oMeHd+th8VZY64IVLFNrRoiaemz6vFNa8U=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=PRt8/q42RwfhclxHOpp3aEt9dgMtiRI/tx6+PGqO1jHpYpR2vyDDMG3lh7uOekJIn1Y0KVu8lHwDqJga8eT69h8s0H20yE9olvZc0vjWvqofIbNfshEBrwNgH2561/vtjwzxrGUUHkOYJWjgkf1tJPDRr4xyOPVFU89nDghrRzc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=AAvXNIIx; arc=none smtp.client-ip=74.125.82.176 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="AAvXNIIx" Received: by mail-dy1-f176.google.com with SMTP id 5a478bee46e88-2b82c605dbdso2528050eec.0 for ; Fri, 20 Feb 2026 18:33:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1771641239; x=1772246039; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=CXUCmXCwP/gOms2DKxM3XqSr1rGtsoe0e87UdQIEtmA=; b=AAvXNIIx9NPF+v1FVLyvaflMU+N/EIIKAWUq/YgZrOd2DwPvOKke7pnUo6ZKDjkmOs GZBoUXfTaLgjvMT4XVs6wecFsJ7pebYQkS05prW/rgkh7/WGDbSPfg9lZD0Eucxa8BIL MBKyBiY6kIXUDjj6fmy4FpbF417eufRL7FALlxtO69MpIEH/Yw7hX6OC7lt92f8z2YV1 V9/zCcPC9sU6FA/x/hwGl5WvOY9MbaDgHCDlBNGmzCr4Ie5ed1yn34jMwrDdVVRhW/Hw oMcQ5iLzXN5mbv6cillCiOysytQ0kt7Vid5hiWj700pTR/VQt+8MHxf9nyyA8EDUnkHH x8JA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771641239; x=1772246039; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=CXUCmXCwP/gOms2DKxM3XqSr1rGtsoe0e87UdQIEtmA=; b=wd4IMmnMcr1AVkeDPCbR6c4Ww349XQ/3BpRGK8zAMt2u4M54uakSOla2jmXfu5CbPg yrsvfBq6lLtkjMGrtNaEJbYS9Xc6D0I/OGZLl2Il/KG94wE5oQUwP35zPt2yjxTXjcZK 2rAJIXGnDOiuA0sSHpfmntaMQxom6nk1wMVcnMoKsTYokHJ0P48wSU79Dg/PBYcgNFgM wYsFOIq+6uZQLYAulOCvMagqpR78tRk9tGNWlyyoovylTiCweasRr72yw7P7ZWSy1ZJT Cs9Q+L/Il8PFTvfEse/KxbIsOWWL8XDsP8oDgIAWPc4oauCnfCEroRStxzFAMYbtLr5A wt2Q== X-Forwarded-Encrypted: i=1; AJvYcCU5RmKXr5MJXrXOht9dzw+pQBewPydpGpn53ssYlmbsAjjKDbywk6jN+1gZFdKYz0GsqDl1Qez7j2KXROg=@vger.kernel.org X-Gm-Message-State: AOJu0Yx0aYXCo9hPSawPJ6ip0NkC1Jwp4llCMY/mtyXBDOFsjXoGr6pW KjEsGPB89QmWv8/szvnB+XgOdFMec/ISbpS+plaerdjCvZe2e+C4CkPj X-Gm-Gg: AZuq6aKEWni3SEvH+SZjYggTvVSVkA8aJEQ8nkbDb7M4XjxbIcw+Hqv15sPrPO+mauQ WgmXh0XE+kjiM4LsYjnKY2ZysXAoWvDysq4N9sg821TBX9ei7tvzQCsthL2Qtl7PSbQfnj4Eh4t q6i1ys3K0mRaX0/ImINTPVmr6Nn2jHqYnJZemFVgB8fLR0EwHRxj4tSDqKeW87kuwtNSftomgCn VFVZJSs7oHt9YP+bEdRtmUhd1S3XiqQ2VTGTXcuuZSUv+glPOkZUN8uO1vFBXohJbj4VhPIJuBE bK5Is2Sm4CdYNhwZUhvR1KnVxy9o60HW5dXnTP2/zuYsAXIUmagz3YskNzQZ/bkMHX/rzTIwnyX qvF77eunvoZ2bOwVTutepOER6nIdPvjDvfbkxb14PEfaIC0eqRq+SUUdagqSL/hOWFXkjMXtgwg I15YBYJM9beTlIS/LbDb0P6UsyJJ0EQ0ce77tQye/Om/V/jcZedU0IxA9Dt4FaaIeG X-Received: by 2002:a05:7300:cb13:b0:2b7:c5d7:84a2 with SMTP id 5a478bee46e88-2bd7bd59d2fmr1122671eec.36.1771641239015; Fri, 20 Feb 2026 18:33:59 -0800 (PST) Received: from google.com ([2a00:79e0:2ebe:8:30e0:64af:2b48:14be]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2bd7dc37895sm607339eec.33.2026.02.20.18.33.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 20 Feb 2026 18:33:58 -0800 (PST) Date: Fri, 20 Feb 2026 18:33:55 -0800 From: Dmitry Torokhov To: Ariel Silver Cc: linux-input@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: Subject: [PATCH] Input: atkbd - validate scancode in firmware keymap entries Message-ID: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Hi Ariel, On Fri, Feb 20, 2026 at 10:44:28AM +0200, Ariel Silver wrote: > The SCANCODE() macro extracts a 16-bit value (0..65535) from firmware > device property data, but atkbd_get_keymap_from_fwnode() uses it > directly to index atkbd->keycode[], which only has ATKBD_KEYMAP_SIZE > (512) elements. A firmware-supplied scancode >= 512 causes a heap > out-of-bounds write that can corrupt adjacent struct atkbd fields and > neighboring slab objects. > > Add a bounds check that rejects the entire firmware keymap if any entry > contains an out-of-range scancode, consistent with the validation > performed by matrix_keypad_parse_keymap() in drivers/input/matrix-keymap.c > for the same "linux,keymap" property format. When rejected, the driver > falls back to the default keycode table. > > Fixes: 9d17ad2369dc ("Input: atkbd - receive and use physcode->keycode > mapping from FW") > Reported-by: Ariel Silver > Signed-off-by: Ariel Silver > Cc: stable@vger.kernel.org Was it observed on real hardware or this is theoretical? I do not think this needs to go to stable, but otherwise I will apply it. > --- > drivers/input/keyboard/atkbd.c | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/drivers/input/keyboard/atkbd.c b/drivers/input/keyboard/atkbd.c > index XXXXXXX..XXXXXXX 100644 > --- a/drivers/input/keyboard/atkbd.c > +++ b/drivers/input/keyboard/atkbd.c > @@ -1111,6 +1111,13 @@ static int atkbd_get_keymap_from_fwnode(struct > atkbd *atkbd) > for (i = 0; i < n; i++) { > scancode = SCANCODE(ptr[i]); > keycode = KEYCODE(ptr[i]); > + if (scancode >= ATKBD_KEYMAP_SIZE) { > + dev_warn(dev, > + "invalid scancode 0x%x in FW keymap entry %d\n", > + scancode, i); > + kfree(ptr); > + return -EINVAL; > + } > atkbd->keycode[scancode] = keycode; > } I think you pasted this to gmail web interface which resulted in line wrapping and messed up indentation. I untangled it but if you plan on sending more kernel patches please try to not use web interface. Making "git send-email" workig might be worth it, or look into "b4 send" with a web endpoint. Thanks. -- Dmitry