aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDmitry Torokhov <dmitry.torokhov@gmail.com>2018-04-06 13:23:05 -0400
committerDmitry Torokhov <dmitry.torokhov@gmail.com>2018-04-11 17:52:59 -0400
commit6bd6ae639683c0b41f46990d5c64ff9fbfa019dc (patch)
tree6c6b208922fdf50ddddf3e072048d6e07cb2fa5a
parent839c42273617787318da7baf6151d553108f5e17 (diff)
Input: leds - fix out of bound access
UI_SET_LEDBIT ioctl() causes the following KASAN splat when used with led > LED_CHARGING: [ 1274.663418] BUG: KASAN: slab-out-of-bounds in input_leds_connect+0x611/0x730 [input_leds] [ 1274.663426] Write of size 8 at addr ffff88003377b2c0 by task ckb-next-daemon/5128 This happens because we were writing to the led structure before making sure that it exists. Reported-by: Tasos Sahanidis <tasos@tasossah.com> Tested-by: Tasos Sahanidis <tasos@tasossah.com> Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Diffstat
-rw-r--r--drivers/input/input-leds.c8
1 files changed, 4 insertions, 4 deletions
diff --git a/drivers/input/input-leds.c b/drivers/input/input-leds.c
index 766bf2660116..5f04b2d94635 100644
--- a/drivers/input/input-leds.c
+++ b/drivers/input/input-leds.c
@@ -88,6 +88,7 @@ static int input_leds_connect(struct input_handler *handler,
88 const struct input_device_id *id) 88 const struct input_device_id *id)
89{ 89{
90 struct input_leds *leds; 90 struct input_leds *leds;
91 struct input_led *led;
91 unsigned int num_leds; 92 unsigned int num_leds;
92 unsigned int led_code; 93 unsigned int led_code;
93 int led_no; 94 int led_no;
@@ -119,14 +120,13 @@ static int input_leds_connect(struct input_handler *handler,
119 120
120 led_no = 0; 121 led_no = 0;
121 for_each_set_bit(led_code, dev->ledbit, LED_CNT) { 122 for_each_set_bit(led_code, dev->ledbit, LED_CNT) {
122 struct input_led *led = &leds->leds[led_no]; 123 if (!input_led_info[led_code].name)
124 continue;
123 125
126 led = &leds->leds[led_no];
124 led->handle = &leds->handle; 127 led->handle = &leds->handle;
125 led->code = led_code; 128 led->code = led_code;
126 129
127 if (!input_led_info[led_code].name)
128 continue;
129
130 led->cdev.name = kasprintf(GFP_KERNEL, "%s::%s", 130 led->cdev.name = kasprintf(GFP_KERNEL, "%s::%s",
131 dev_name(&dev->dev), 131 dev_name(&dev->dev),
132 input_led_info[led_code].name); 132 input_led_info[led_code].name);
generated by cgit v1.2.2 (git 2.25.0) at 2025-08-27 10:11:33 -0400