From patchwork Mon Aug 17 11:26:59 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Marc Zyngier <maz@kernel.org>
X-Patchwork-Id: 11718035
Return-Path: <SRS0=nOvE=B3=vger.kernel.org=linux-input-owner@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
 [172.30.200.123])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id F4209109B
	for <patchwork-linux-input@patchwork.kernel.org>;
 Mon, 17 Aug 2020 11:27:18 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id D3FE520789
	for <patchwork-linux-input@patchwork.kernel.org>;
 Mon, 17 Aug 2020 11:27:18 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=default; t=1597663638;
	bh=8j9N4CPEYB/GOpxUe4purZN78rjqtRdEePl/HYb5Zq8=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From;
	b=FIgLUhRDa/sT/MqwSOO0T/6z/D6Yc/PtoMcaST7+9+IzY3msgwtnLFXBxUZkVH+1z
	 4s50vHq2t1XMXFZt6H0M2m34wTw9HmYEqMSknZLaNk3ANQ1DEgigVNnA7X1HWTQLnT
	 Oo+XyyMKFljHK9xddvMZo/g63gOeFZd08ktzyA7o=
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728037AbgHQL1N (ORCPT
        <rfc822;patchwork-linux-input@patchwork.kernel.org>);
        Mon, 17 Aug 2020 07:27:13 -0400
Received: from mail.kernel.org ([198.145.29.99]:54456 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726329AbgHQL1M (ORCPT <rfc822;linux-input@vger.kernel.org>);
        Mon, 17 Aug 2020 07:27:12 -0400
Received: from disco-boy.misterjones.org (disco-boy.misterjones.org
 [51.254.78.96])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 72A8A20786;
        Mon, 17 Aug 2020 11:27:11 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1597663631;
        bh=8j9N4CPEYB/GOpxUe4purZN78rjqtRdEePl/HYb5Zq8=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=mevUAYtwzpMpkqnuxdGGY6kceZ7qY0NCVCJd9lWtUOfMYpH4swff5AQxmnW63N6oN
         HuiFlckOgLd7PhX+CHKGlheZsWuP4kG5li1MUZ8PQ7SXbnik2Z4bBOWR6rkaDBNh43
         XsjuMFfX8QuxTUv97wh+tdLk5a7Awo3r1iGg7nbA=
Received: from 78.163-31-62.static.virginmediabusiness.co.uk ([62.31.163.78]
 helo=why.lan)
        by disco-boy.misterjones.org with esmtpsa
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
        (Exim 4.92)
        (envelope-from <maz@kernel.org>)
        id 1k7dID-003Y6k-WB; Mon, 17 Aug 2020 12:27:10 +0100
From: Marc Zyngier <maz@kernel.org>
To: Dmitry Torokhov <dmitry.torokhov@gmail.com>,
        Jiri Kosina <jikos@kernel.org>,
        Benjamin Tissoires <benjamin.tissoires@redhat.com>
Cc: linux-input@vger.kernel.org, linux-kernel@vger.kernel.org,
        stable@vger.kernel.org
Subject: [PATCH 1/2] Input; Sanitize event code before modifying bitmaps
Date: Mon, 17 Aug 2020 12:26:59 +0100
Message-Id: <20200817112700.468743-2-maz@kernel.org>
X-Mailer: git-send-email 2.27.0
In-Reply-To: <20200817112700.468743-1-maz@kernel.org>
References: <20200817112700.468743-1-maz@kernel.org>
MIME-Version: 1.0
X-SA-Exim-Connect-IP: 62.31.163.78
X-SA-Exim-Rcpt-To: dmitry.torokhov@gmail.com, jikos@kernel.org,
 benjamin.tissoires@redhat.com, linux-input@vger.kernel.org,
 linux-kernel@vger.kernel.org, stable@vger.kernel.org
X-SA-Exim-Mail-From: maz@kernel.org
X-SA-Exim-Scanned: No (on disco-boy.misterjones.org);
 SAEximRunCond expanded to false
Sender: linux-input-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-input.vger.kernel.org>
X-Mailing-List: linux-input@vger.kernel.org

When calling into input_set_capability(), the passed event code is
blindly used to set a bit in a number of bitmaps, without checking
whether this actually fits the expected size of the bitmap.

This event code can come from a variety of sources, including devices
masquerading as input devices, only a bit more "programmable".

Instead of taking the raw event code, sanitize it to the actual bitmap
size and output a warning to let the user know.

These checks are, at least in spirit, in keeping with cb222aed03d7
("Input: add safety guards to input_set_keycode()").

Cc: stable@vger.kernel.org
Signed-off-by: Marc Zyngier <maz@kernel.org>
---
 drivers/input/input.c | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/drivers/input/input.c b/drivers/input/input.c
index 3cfd2c18eebd..1e77cf47aa44 100644
--- a/drivers/input/input.c
+++ b/drivers/input/input.c
@@ -1974,14 +1974,18 @@ EXPORT_SYMBOL(input_get_timestamp);
  * In addition to setting up corresponding bit in appropriate capability
  * bitmap the function also adjusts dev->evbit.
  */
-void input_set_capability(struct input_dev *dev, unsigned int type, unsigned int code)
+void input_set_capability(struct input_dev *dev, unsigned int type, unsigned int raw_code)
 {
+	unsigned int code = raw_code;
+
 	switch (type) {
 	case EV_KEY:
+		code &= KEY_MAX;
 		__set_bit(code, dev->keybit);
 		break;
 
 	case EV_REL:
+		code &= REL_MAX;
 		__set_bit(code, dev->relbit);
 		break;
 
@@ -1990,26 +1994,32 @@ void input_set_capability(struct input_dev *dev, unsigned int type, unsigned int
 		if (!dev->absinfo)
 			return;
 
+		code &= ABS_MAX;
 		__set_bit(code, dev->absbit);
 		break;
 
 	case EV_MSC:
+		code &= MSC_MAX;
 		__set_bit(code, dev->mscbit);
 		break;
 
 	case EV_SW:
+		code &= SW_MAX;
 		__set_bit(code, dev->swbit);
 		break;
 
 	case EV_LED:
+		code &= LED_MAX;
 		__set_bit(code, dev->ledbit);
 		break;
 
 	case EV_SND:
+		code &= SND_MAX;
 		__set_bit(code, dev->sndbit);
 		break;
 
 	case EV_FF:
+		code &= FF_MAX;
 		__set_bit(code, dev->ffbit);
 		break;
 
@@ -2023,6 +2033,10 @@ void input_set_capability(struct input_dev *dev, unsigned int type, unsigned int
 		return;
 	}
 
+	if (unlikely(code != raw_code))
+		pr_warn_ratelimited("%s: Truncated code %d to %d for type %d\n",
+				    dev->name, raw_code, code, type);
+
 	__set_bit(type, dev->evbit);
 }
 EXPORT_SYMBOL(input_set_capability);

From patchwork Mon Aug 17 11:27:00 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Marc Zyngier <maz@kernel.org>
X-Patchwork-Id: 11718037
Return-Path: <SRS0=nOvE=B3=vger.kernel.org=linux-input-owner@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
 [172.30.200.123])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E35AC13B1
	for <patchwork-linux-input@patchwork.kernel.org>;
 Mon, 17 Aug 2020 11:27:23 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id CBEAD2086A
	for <patchwork-linux-input@patchwork.kernel.org>;
 Mon, 17 Aug 2020 11:27:23 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=default; t=1597663643;
	bh=qRbsfCdL7lmppXtjwWuzEw+EWGRHPrf8d7vcicpEOr4=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From;
	b=mnIRAA4fztdg21wubKbPOD/r6fzrS7Ri/Na96KnRBQ2mMiQQ9OP9Q46NzrrigR8xy
	 oSkrW1OpP3DPdPBG/caxQlrSNsrnr1mkP2KUdii6fwiMAW2zJdUBRgK8DtE7l2syDD
	 G4t5eyge+sElKSQ5evanZZN2PbtEP5x1ZJpgKEzQ=
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728072AbgHQL1O (ORCPT
        <rfc822;patchwork-linux-input@patchwork.kernel.org>);
        Mon, 17 Aug 2020 07:27:14 -0400
Received: from mail.kernel.org ([198.145.29.99]:54484 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726171AbgHQL1M (ORCPT <rfc822;linux-input@vger.kernel.org>);
        Mon, 17 Aug 2020 07:27:12 -0400
Received: from disco-boy.misterjones.org (disco-boy.misterjones.org
 [51.254.78.96])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id E27382078D;
        Mon, 17 Aug 2020 11:27:11 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1597663632;
        bh=qRbsfCdL7lmppXtjwWuzEw+EWGRHPrf8d7vcicpEOr4=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=XcHpToc07w835Izb2rom/U0v58VrHfz1Nzjv0T20BQW4Z6ij8FPbogY09ZwGDOXU6
         GOLBUoT7RxpP6L3j1p7g+XyPrxh4NSxzweWJ/LZh/zO3xYtDWqEtJTmROtLqYnrtDt
         8kkEhT0OrBfilLTtbfuh2NJfUay8ZGdg4+E/J/oE=
Received: from 78.163-31-62.static.virginmediabusiness.co.uk ([62.31.163.78]
 helo=why.lan)
        by disco-boy.misterjones.org with esmtpsa
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
        (Exim 4.92)
        (envelope-from <maz@kernel.org>)
        id 1k7dIE-003Y6k-Dl; Mon, 17 Aug 2020 12:27:10 +0100
From: Marc Zyngier <maz@kernel.org>
To: Dmitry Torokhov <dmitry.torokhov@gmail.com>,
        Jiri Kosina <jikos@kernel.org>,
        Benjamin Tissoires <benjamin.tissoires@redhat.com>
Cc: linux-input@vger.kernel.org, linux-kernel@vger.kernel.org,
        stable@vger.kernel.org
Subject: [PATCH 2/2] HID: core;
 Sanitize event code and type before mapping input
Date: Mon, 17 Aug 2020 12:27:00 +0100
Message-Id: <20200817112700.468743-3-maz@kernel.org>
X-Mailer: git-send-email 2.27.0
In-Reply-To: <20200817112700.468743-1-maz@kernel.org>
References: <20200817112700.468743-1-maz@kernel.org>
MIME-Version: 1.0
X-SA-Exim-Connect-IP: 62.31.163.78
X-SA-Exim-Rcpt-To: dmitry.torokhov@gmail.com, jikos@kernel.org,
 benjamin.tissoires@redhat.com, linux-input@vger.kernel.org,
 linux-kernel@vger.kernel.org, stable@vger.kernel.org
X-SA-Exim-Mail-From: maz@kernel.org
X-SA-Exim-Scanned: No (on disco-boy.misterjones.org);
 SAEximRunCond expanded to false
Sender: linux-input-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-input.vger.kernel.org>
X-Mailing-List: linux-input@vger.kernel.org

When calling into hid_map_usage(), the passed event code is
blindly stored as is, even if it doesn't fit in the associated bitmap.

This event code can come from a variety of sources, including devices
masquerading as input devices, only a bit more "programmable".

Instead of taking the raw event code, sanitize it to the actual bitmap
size and output a warning to let the user know.

While we're at it, sanitize the hid_usage structure if the type isn't
known, conveniently placing a NULL pointer as the bitmap in order to
catch unexpected uses.

Cc: stable@vger.kernel.org
Signed-off-by: Marc Zyngier <maz@kernel.org>
---
 include/linux/hid.h | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/include/linux/hid.h b/include/linux/hid.h
index 875f71132b14..4cd87d0ec023 100644
--- a/include/linux/hid.h
+++ b/include/linux/hid.h
@@ -966,9 +966,6 @@ static inline void hid_map_usage(struct hid_input *hidinput,
 {
 	struct input_dev *input = hidinput->input;
 
-	usage->type = type;
-	usage->code = c;
-
 	switch (type) {
 	case EV_ABS:
 		*bit = input->absbit;
@@ -986,7 +983,20 @@ static inline void hid_map_usage(struct hid_input *hidinput,
 		*bit = input->ledbit;
 		*max = LED_MAX;
 		break;
+	default:
+		*bit = NULL;
+		*max = 0;
+		usage->code = 0;
+		usage->type = 0;
+		return;
 	}
+
+	usage->type = type;
+	usage->code = c & *max;
+
+	if (unlikely(usage->code != c))
+		pr_warn_ratelimited("%s: Truncated code %d to %d for type %d\n",
+				    input->name, c, usage->code, type);
 }
 
 /**
@@ -1000,7 +1010,8 @@ static inline void hid_map_usage_clear(struct hid_input *hidinput,
 		__u8 type, __u16 c)
 {
 	hid_map_usage(hidinput, usage, bit, max, type, c);
-	clear_bit(c, *bit);
+	if (*bit)
+		clear_bit(usage->code, *bit);
 }
 
 /**