Re: [PATCH] Input: joydev - prevent potential write out of bounds in ioctl

From: Alexander Larkin
Date: Mon Jun 21 2021 - 17:30:41 EST

Next message: Ian Rogers: "Re: [PATCH 1/4] perf test: Fix non-bash issue with stat bpf counters"
Previous message: Daniel Latypov: "Re: [PATCH v4 1/1] lib: Convert UUID runtime test to KUnit"
In reply to: Alexander Larkin: "Re: [PATCH] Input: joydev - prevent potential write out of bounds in ioctl"
Next in thread: Alexander Larkin: "Re: [PATCH] Input: joydev - prevent potential write out of bounds in ioctl"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Also I did userspace test (that shows how kernel overwrites (out of array bound) the userspace):
1. The buttons is "__u16 buttons[5]" in userspace,
2. buttons[5] = 1;
3. ioctl(fd, JSIOCGBTNMAP, buttons)
4. printf("new %i\n", buttons[5]),
and the output is "new 0", so the value is being overwritten by kernel (so 1024 bytes copied
to 10 bytes buffer).

It looks like I don't understand what is the expected value of the _IOC_SIZE(cmd),
why not 10 for this read ioctl example? Is it possible to make this ioctl safe, so
it doesn't copy more data than user can handle?

Next message: Ian Rogers: "Re: [PATCH 1/4] perf test: Fix non-bash issue with stat bpf counters"
Previous message: Daniel Latypov: "Re: [PATCH v4 1/1] lib: Convert UUID runtime test to KUnit"
In reply to: Alexander Larkin: "Re: [PATCH] Input: joydev - prevent potential write out of bounds in ioctl"
Next in thread: Alexander Larkin: "Re: [PATCH] Input: joydev - prevent potential write out of bounds in ioctl"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]