From patchwork Thu Sep 13 16:17:30 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Herrmann X-Patchwork-Id: 1453541 Return-Path: X-Original-To: patchwork-linux-input@patchwork.kernel.org Delivered-To: patchwork-process-083081@patchwork1.kernel.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by patchwork1.kernel.org (Postfix) with ESMTP id 785E33FE79 for ; Thu, 13 Sep 2012 16:16:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1758531Ab2IMQQM (ORCPT ); Thu, 13 Sep 2012 12:16:12 -0400 Received: from mail-we0-f174.google.com ([74.125.82.174]:35496 "EHLO mail-we0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755580Ab2IMQQL (ORCPT ); Thu, 13 Sep 2012 12:16:11 -0400 Received: by weyx8 with SMTP id x8so1792808wey.19 for ; Thu, 13 Sep 2012 09:16:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=from:to:cc:subject:date:message-id:x-mailer; bh=6JRwR0Diu/3P2r8x0IJtVo5pAFyrJXTMdEgyNUQ4FDw=; b=pDHqnBrEz8ou6phki0zEUXrhlgmVAzjgqeo8AEa77a1W422HCTxlVkFO/0pBFvMCPz 7CujQ5Z3w1zzYAZ5PKNREoXpFfw/MJcJH85lLPRi+uY7kfnRNRJrIMySg1O3ZOd7s2Wq dtxJmIPksFreeRRwuE/wcOxGLvjipbX0K5b8QVQHqnHrFV3VJjtI9BQzXhQz3YxcUGUy 1qST+TCQBMgEhaAbI7GCiS/oRTq5sxu2wL3eJGo3qoWTmSKB4sUdr8fbRApPY5SqMEEt uGhMJfjbSs9jyCaMkHC1A72RPs2t4cm7lji83NWsc9IRvIVgVjmcj0kJL4j6F0iiz3IP UoYg== Received: by 10.180.81.165 with SMTP id b5mr41485867wiy.17.1347552969565; Thu, 13 Sep 2012 09:16:09 -0700 (PDT) Received: from localhost.localdomain (stgt-5f71b56d.pool.mediaWays.net. [95.113.181.109]) by mx.google.com with ESMTPS id bc2sm21401792wib.0.2012.09.13.09.16.07 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 13 Sep 2012 09:16:07 -0700 (PDT) From: David Herrmann To: linux-input@vger.kernel.org Cc: Dmitry Torokhov , David Herrmann , Subject: [PATCH] input: fix input_open_file() accessing out-of-bound buffers Date: Thu, 13 Sep 2012 18:17:30 +0200 Message-Id: <1347553050-25480-1-git-send-email-dh.herrmann@googlemail.com> X-Mailer: git-send-email 1.7.12 Sender: linux-input-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-input@vger.kernel.org The "input_table" array is very small and we cannot be sure that the file the user opens has a minor-ID below 256 (8 << 5). Hence, simply check that the minor isn't out-of-bounds. If it is, return -ENODEV. Signed-off-by: David Herrmann Cc: --- drivers/input/input.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/input/input.c b/drivers/input/input.c index 8921c61..eb65ad7 100644 --- a/drivers/input/input.c +++ b/drivers/input/input.c @@ -2095,13 +2095,19 @@ static int input_open_file(struct inode *inode, struct file *file) struct input_handler *handler; const struct file_operations *old_fops, *new_fops = NULL; int err; + unsigned int minor_group; err = mutex_lock_interruptible(&input_mutex); if (err) return err; /* No load-on-demand here? */ - handler = input_table[iminor(inode) >> 5]; + + minor_group = iminor(inode) >> 5; + if (minor_group >= sizeof(input_table) / sizeof(*input_table)) + return -ENODEV; + + handler = input_table[minor_group]; if (handler) new_fops = fops_get(handler->fops);