Skip to content

Commit 409353c

Browse files
jlabundydtor
authored andcommitted
Input: add bounds checking to input_set_capability()
Update input_set_capability() to prevent kernel panic in case the event code exceeds the bitmap for the given event type. Suggested-by: Tomasz Moń <tomasz.mon@camlingroup.com> Signed-off-by: Jeff LaBundy <jeff@labundy.com> Reviewed-by: Tomasz Moń <tomasz.mon@camlingroup.com> Link: https://lore.kernel.org/r/20220320032537.545250-1-jeff@labundy.com Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
1 parent 07fc21b commit 409353c

File tree

1 file changed

+19
-0
lines changed

1 file changed

+19
-0
lines changed

Diff for: drivers/input/input.c

+19
Original file line numberDiff line numberDiff line change
@@ -47,6 +47,17 @@ static DEFINE_MUTEX(input_mutex);
4747

4848
static const struct input_value input_value_sync = { EV_SYN, SYN_REPORT, 1 };
4949

50+
static const unsigned int input_max_code[EV_CNT] = {
51+
[EV_KEY] = KEY_MAX,
52+
[EV_REL] = REL_MAX,
53+
[EV_ABS] = ABS_MAX,
54+
[EV_MSC] = MSC_MAX,
55+
[EV_SW] = SW_MAX,
56+
[EV_LED] = LED_MAX,
57+
[EV_SND] = SND_MAX,
58+
[EV_FF] = FF_MAX,
59+
};
60+
5061
static inline int is_event_supported(unsigned int code,
5162
unsigned long *bm, unsigned int max)
5263
{
@@ -2110,6 +2121,14 @@ EXPORT_SYMBOL(input_get_timestamp);
21102121
*/
21112122
void input_set_capability(struct input_dev *dev, unsigned int type, unsigned int code)
21122123
{
2124+
if (type < EV_CNT && input_max_code[type] &&
2125+
code > input_max_code[type]) {
2126+
pr_err("%s: invalid code %u for type %u\n", __func__, code,
2127+
type);
2128+
dump_stack();
2129+
return;
2130+
}
2131+
21132132
switch (type) {
21142133
case EV_KEY:
21152134
__set_bit(code, dev->keybit);

0 commit comments

Comments
 (0)