[PATCH] Input: joydev - prevent potential write out of bounds in ioctl

From: Alexander Larkin
Date: Sun Jun 20 2021 - 08:11:55 EST


The problem is that the check of user input values that is just
before the fixed line of code is for the part of first values
(before len or before len/2), but then the usage of all the values
including i >= len (or i >= len/2) could be.
Since the resulted array of values inited by default with some
good values, the fix is to ignore out of bounds values and
just to use only correct input values by user.
Originally detected by Murray with this simple poc
(If you run the following as an unprivileged user on a default install
it will instantly panic the system:

int main(void) {
int fd, ret;
unsigned int buffer[10000];

fd = open("/dev/input/js0", O_RDONLY);
if (fd == -1)
printf("Error opening file\n");

ret = ioctl(fd, JSIOCSBTNMAP & ~IOCSIZE_MASK, &buffer);
printf("%d\n", ret);
}

Fixes: 182d679b2298 ("Input: joydev - prevent potential read overflow in ioctl")
Reported-by: Murray McAllister <murray.mcallister@xxxxxxxxx>
Signed-off-by: Alexander Larkin <avlarkin82@xxxxxxxxx>
---
drivers/input/joydev.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/input/joydev.c b/drivers/input/joydev.c
index da8963a9f044..1aa067d4a3e8 100644
--- a/drivers/input/joydev.c
+++ b/drivers/input/joydev.c
@@ -464,7 +464,7 @@ static int joydev_handle_JSIOCSAXMAP(struct joydev *joydev,

memcpy(joydev->abspam, abspam, len);

- for (i = 0; i < joydev->nabs; i++)
+ for (i = 0; i < len && i < joydev->nabs; i++)
joydev->absmap[joydev->abspam[i]] = i;

out:
@@ -498,7 +498,7 @@ static int joydev_handle_JSIOCSBTNMAP(struct joydev *joydev,

memcpy(joydev->keypam, keypam, len);

- for (i = 0; i < joydev->nkey; i++)
+ for (i = 0; i < (len / 2) && i < joydev->nkey; i++)
joydev->keymap[keypam[i] - BTN_MISC] = i;

out:
--
2.27.0