| commit | 33d5dd8467f25c5b936efaf2c33f1c1f8288329e | [log] [tgz] |
|---|---|---|
| author | Alexander Larkin <[email protected]> | Sun Jul 04 22:39:36 2021 -0700 |
| committer | COS Cherry Picker <[email protected]> | Wed Jul 21 12:25:45 2021 -0700 |
| tree | 4df0cde1032194307226781e6980384d03d3e280 | |
| parent | e4a16ea22fd96fd2545fb9d403f7e8d31c9fc04a [diff] |
Input: joydev - prevent use of not validated data in JSIOCSBTNMAP ioctl
Even though we validate user-provided inputs we then traverse past
validated data when applying the new map. The issue was originally
discovered by Murray McAllister with this simple POC (if the following
is executed by an unprivileged user it will instantly panic the system):
int main(void) {
int fd, ret;
unsigned int buffer[10000];
fd = open("/dev/input/js0", O_RDONLY);
if (fd == -1)
printf("Error opening file\n");
ret = ioctl(fd, JSIOCSBTNMAP & ~IOCSIZE_MASK, &buffer);
printf("%d\n", ret);
}
The solution is to traverse internal buffer which is guaranteed to only
contain valid date when constructing the map.
BUG=b/193628549
TEST=presubmit
SOURCE=UPSTREAM(f8f84af5da9ee04ef1d271528656dac42a090d00)
RELEASE_NOTE=Fix CVE-2021-3612
cos-patch: security-high
Fixes: 182d679b2298 ("Input: joydev - prevent potential read overflow in ioctl")
Fixes: 999b874f4aa3 ("Input: joydev - validate axis/button maps before clobbering current ones")
Reported-by: Murray McAllister <[email protected]>
Suggested-by: Linus Torvalds <[email protected]>
Signed-off-by: Alexander Larkin <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Cc: [email protected]
Signed-off-by: Dmitry Torokhov <[email protected]>
Change-Id: I08bedd8bab51fd174e603ceeca3370bcb9bb1345
Reviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/19612
Main-Branch-Verified: Cusky Presubmit Bot <[email protected]>
Reviewed-by: Roy Yang <[email protected]>
Tested-by: Oleksandr Tymoshenko <[email protected]>