Re: [PATCH] Input: leds - fix out of bound access
On Fri, Apr 06, 2018 at 11:12:42AM -0700, Dmitry Torokhov wrote: > UI_SET_LEDBIT ioctl() causes the following KASAN splat when used with > led > LED_CHARGING: > > [ 1274.663418] BUG: KASAN: slab-out-of-bounds in > input_leds_connect+0x611/0x730 [input_leds] > [ 1274.663426] Write of size 8 at addr 88003377b2c0 by task > ckb-next-daemon/5128 > > This happens because we were writing to the led structure before making > sure that it exists. > > Reported-by: Tasos Sahanidis > Tested-by: Tasos Sahanidis > Cc: sta...@vger.kernel.org > Signed-off-by: Dmitry Torokhov Reviewed-by: Peter Hutterer Cheers, Peter > --- > drivers/input/input-leds.c | 8 > 1 file changed, 4 insertions(+), 4 deletions(-) > > diff --git a/drivers/input/input-leds.c b/drivers/input/input-leds.c > index 766bf26601163..5f04b2d946350 100644 > --- a/drivers/input/input-leds.c > +++ b/drivers/input/input-leds.c > @@ -88,6 +88,7 @@ static int input_leds_connect(struct input_handler *handler, > const struct input_device_id *id) > { > struct input_leds *leds; > + struct input_led *led; > unsigned int num_leds; > unsigned int led_code; > int led_no; > @@ -119,14 +120,13 @@ static int input_leds_connect(struct input_handler > *handler, > > led_no = 0; > for_each_set_bit(led_code, dev->ledbit, LED_CNT) { > - struct input_led *led = &leds->leds[led_no]; > + if (!input_led_info[led_code].name) > + continue; > > + led = &leds->leds[led_no]; > led->handle = &leds->handle; > led->code = led_code; > > - if (!input_led_info[led_code].name) > - continue; > - > led->cdev.name = kasprintf(GFP_KERNEL, "%s::%s", > dev_name(&dev->dev), > input_led_info[led_code].name); > -- > 2.17.0.484.g0c8726318c-goog
Re: [PATCH] Input: leds - fix out of bound access
Hi, [This is an automated email] This commit has been processed because it contains a -stable tag. The stable tag indicates that it's relevant for the following trees: all The bot has also determined it's probably a bug fixing patch. (score: 97.7389) The bot has tested the following trees: v4.16.1, v4.15.16, v4.14.33, v4.9.93, v4.4.127. v4.16.1: Build OK! v4.15.16: Build OK! v4.14.33: Build OK! v4.9.93: Build OK! v4.4.127: Build OK! Please let us know if you'd like to have this patch included in a stable tree. -- Thanks, Sasha
[PATCH] Input: leds - fix out of bound access
UI_SET_LEDBIT ioctl() causes the following KASAN splat when used with led > LED_CHARGING: [ 1274.663418] BUG: KASAN: slab-out-of-bounds in input_leds_connect+0x611/0x730 [input_leds] [ 1274.663426] Write of size 8 at addr 88003377b2c0 by task ckb-next-daemon/5128 This happens because we were writing to the led structure before making sure that it exists. Reported-by: Tasos Sahanidis Tested-by: Tasos Sahanidis Cc: sta...@vger.kernel.org Signed-off-by: Dmitry Torokhov --- drivers/input/input-leds.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/input/input-leds.c b/drivers/input/input-leds.c index 766bf26601163..5f04b2d946350 100644 --- a/drivers/input/input-leds.c +++ b/drivers/input/input-leds.c @@ -88,6 +88,7 @@ static int input_leds_connect(struct input_handler *handler, const struct input_device_id *id) { struct input_leds *leds; + struct input_led *led; unsigned int num_leds; unsigned int led_code; int led_no; @@ -119,14 +120,13 @@ static int input_leds_connect(struct input_handler *handler, led_no = 0; for_each_set_bit(led_code, dev->ledbit, LED_CNT) { - struct input_led *led = &leds->leds[led_no]; + if (!input_led_info[led_code].name) + continue; + led = &leds->leds[led_no]; led->handle = &leds->handle; led->code = led_code; - if (!input_led_info[led_code].name) - continue; - led->cdev.name = kasprintf(GFP_KERNEL, "%s::%s", dev_name(&dev->dev), input_led_info[led_code].name); -- 2.17.0.484.g0c8726318c-goog -- Dmitry