[PATCH] Input: evdev: don't assume ABS_MAX to be a power-of-2 minus 1

From: David Herrmann
Date: Fri Sep 06 2013 - 17:46:08 EST


ABS_MAX is no longer a full mask. Hence, don't use it directly to get any
parameter for ioctls. Furthermore, the parameter-region and
ioctl-definition overlap, so even bumping ABS_MAX to 0x7f wouldn't help.

Reported-by: Markus Trippelsdorf <markus@xxxxxxxxxxxxxxx>
Signed-off-by: David Herrmann <dh.herrmann@xxxxxxxxx>
---
drivers/input/evdev.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/drivers/input/evdev.c b/drivers/input/evdev.c
index d2b34fb..82e0073 100644
--- a/drivers/input/evdev.c
+++ b/drivers/input/evdev.c
@@ -939,12 +939,13 @@ static long evdev_do_ioctl(struct file *file,
unsigned int cmd,
_IOC_NR(cmd) & EV_MAX, size,
p, compat_mode);

- if ((_IOC_NR(cmd) & ~ABS_MAX) == _IOC_NR(EVIOCGABS(0))) {
+ if (_IOC_NR(cmd) >= _IOC_NR(EVIOCGABS(0)) &&
+ _IOC_NR(cmd) <= _IOC_NR(EVIOCGABS(ABS_MAX))) {

if (!dev->absinfo)
return -EINVAL;

- t = _IOC_NR(cmd) & ABS_MAX;
+ t = _IOC_NR(cmd) - _IOC_NR(EVIOCGABS(0));
abs = dev->absinfo[t];

if (copy_to_user(p, &abs, min_t(size_t,
@@ -957,12 +958,13 @@ static long evdev_do_ioctl(struct file *file,
unsigned int cmd,

if (_IOC_DIR(cmd) == _IOC_WRITE) {

- if ((_IOC_NR(cmd) & ~ABS_MAX) == _IOC_NR(EVIOCSABS(0))) {
+ if (_IOC_NR(cmd) >= _IOC_NR(EVIOCSABS(0)) &&
+ _IOC_NR(cmd) <= _IOC_NR(EVIOCSABS(ABS_MAX))) {

if (!dev->absinfo)
return -EINVAL;

- t = _IOC_NR(cmd) & ABS_MAX;
+ t = _IOC_NR(cmd) - _IOC_NR(EVIOCSABS(0));

if (copy_from_user(&abs, p, min_t(size_t,
size, sizeof(struct input_absinfo))))
--
1.8.4

--089e01493b542f7c1804e5be058e
Content-Type: application/octet-stream;
name="0001-Input-evdev-don-t-assume-ABS_MAX-to-be-a-power-of-2-.patch"
Content-Disposition: attachment;
filename="0001-Input-evdev-don-t-assume-ABS_MAX-to-be-a-power-of-2-.patch"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_hl9xsn0w0

RnJvbSA2NTNmZTRkNDZhZDM2OGNkYmY5YjU2YTU1OWE4NDY4YmQ2ZjVjYjNjIE1vbiBTZXAgMTcg
MDA6MDA6MDAgMjAwMQpGcm9tOiBEYXZpZCBIZXJybWFubiA8ZGguaGVycm1hbm5AZ21haWwuY29t
PgpEYXRlOiBGcmksIDYgU2VwIDIwMTMgMjM6NDY6MDggKzAyMDAKU3ViamVjdDogW1BBVENIXSBJ
bnB1dDogZXZkZXY6IGRvbid0IGFzc3VtZSBBQlNfTUFYIHRvIGJlIGEgcG93ZXItb2YtMiBtaW51
cyAxCgpBQlNfTUFYIGlzIG5vIGxvbmdlciBhIGZ1bGwgbWFzay4gSGVuY2UsIGRvbid0IHVzZSBp
dCBkaXJlY3RseSB0byBnZXQgYW55CnBhcmFtZXRlciBmb3IgaW9jdGxzLiBGdXJ0aGVybW9yZSwg
dGhlIHBhcmFtZXRlci1yZWdpb24gYW5kCmlvY3RsLWRlZmluaXRpb24gb3ZlcmxhcCwgc28gZXZl
biBidW1waW5nIEFCU19NQVggdG8gMHg3ZiB3b3VsZG4ndCBoZWxwLgoKUmVwb3J0ZWQtYnk6IE1h
cmt1cyBUcmlwcGVsc2RvcmYgPG1hcmt1c0B0cmlwcGVsc2RvcmYuZGU+ClNpZ25lZC1vZmYtYnk6
IERhdmlkIEhlcnJtYW5uIDxkaC5oZXJybWFubkBnbWFpbC5jb20+Ci0tLQogZHJpdmVycy9pbnB1
dC9ldmRldi5jIHwgMTAgKysrKysrLS0tLQogMSBmaWxlIGNoYW5nZWQsIDYgaW5zZXJ0aW9ucygr
KSwgNCBkZWxldGlvbnMoLSkKCmRpZmYgLS1naXQgYS9kcml2ZXJzL2lucHV0L2V2ZGV2LmMgYi9k
cml2ZXJzL2lucHV0L2V2ZGV2LmMKaW5kZXggZDJiMzRmYi4uODJlMDA3MyAxMDA2NDQKLS0tIGEv
ZHJpdmVycy9pbnB1dC9ldmRldi5jCisrKyBiL2RyaXZlcnMvaW5wdXQvZXZkZXYuYwpAQCAtOTM5
LDEyICs5MzksMTMgQEAgc3RhdGljIGxvbmcgZXZkZXZfZG9faW9jdGwoc3RydWN0IGZpbGUgKmZp
bGUsIHVuc2lnbmVkIGludCBjbWQsCiAJCQkJCQlfSU9DX05SKGNtZCkgJiBFVl9NQVgsIHNpemUs
CiAJCQkJCQlwLCBjb21wYXRfbW9kZSk7CiAKLQkJaWYgKChfSU9DX05SKGNtZCkgJiB+QUJTX01B
WCkgPT0gX0lPQ19OUihFVklPQ0dBQlMoMCkpKSB7CisJCWlmIChfSU9DX05SKGNtZCkgPj0gX0lP
Q19OUihFVklPQ0dBQlMoMCkpICYmCisJCSAgICBfSU9DX05SKGNtZCkgPD0gX0lPQ19OUihFVklP
Q0dBQlMoQUJTX01BWCkpKSB7CiAKIAkJCWlmICghZGV2LT5hYnNpbmZvKQogCQkJCXJldHVybiAt
RUlOVkFMOwogCi0JCQl0ID0gX0lPQ19OUihjbWQpICYgQUJTX01BWDsKKwkJCXQgPSBfSU9DX05S
KGNtZCkgLSBfSU9DX05SKEVWSU9DR0FCUygwKSk7CiAJCQlhYnMgPSBkZXYtPmFic2luZm9bdF07
CiAKIAkJCWlmIChjb3B5X3RvX3VzZXIocCwgJmFicywgbWluX3Qoc2l6ZV90LApAQCAtOTU3LDEy
ICs5NTgsMTMgQEAgc3RhdGljIGxvbmcgZXZkZXZfZG9faW9jdGwoc3RydWN0IGZpbGUgKmZpbGUs
IHVuc2lnbmVkIGludCBjbWQsCiAKIAlpZiAoX0lPQ19ESVIoY21kKSA9PSBfSU9DX1dSSVRFKSB7
CiAKLQkJaWYgKChfSU9DX05SKGNtZCkgJiB+QUJTX01BWCkgPT0gX0lPQ19OUihFVklPQ1NBQlMo
MCkpKSB7CisJCWlmIChfSU9DX05SKGNtZCkgPj0gX0lPQ19OUihFVklPQ1NBQlMoMCkpICYmCisJ
CSAgICBfSU9DX05SKGNtZCkgPD0gX0lPQ19OUihFVklPQ1NBQlMoQUJTX01BWCkpKSB7CiAKIAkJ
CWlmICghZGV2LT5hYnNpbmZvKQogCQkJCXJldHVybiAtRUlOVkFMOwogCi0JCQl0ID0gX0lPQ19O
UihjbWQpICYgQUJTX01BWDsKKwkJCXQgPSBfSU9DX05SKGNtZCkgLSBfSU9DX05SKEVWSU9DU0FC
UygwKSk7CiAKIAkJCWlmIChjb3B5X2Zyb21fdXNlcigmYWJzLCBwLCBtaW5fdChzaXplX3QsCiAJ
CQkJCXNpemUsIHNpemVvZihzdHJ1Y3QgaW5wdXRfYWJzaW5mbykpKSkKLS0gCjEuOC40Cgo=
--089e01493b542f7c1804e5be058e--
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/