mirror of
https://gitee.com/bianbu-linux/linux-6.6
synced 2025-04-26 14:17:26 -04:00
Input: force feedback - potential integer wrap in input_ff_create()
The problem here is that max_effects can wrap on 32 bits systems.
We'd allocate a smaller amount of data than sizeof(struct ff_device).
The call to kcalloc() on the next line would fail but it would write
the NULL return outside of the memory we just allocated causing data
corruption.
The call path is that uinput_setup_device() get ->ff_effects_max from
the user and sets the value in the ->private_data struct. From there
it is:
-> uinput_ioctl_handler()
-> uinput_create_device()
-> input_ff_create(dev, udev->ff_effects_max);
I've also changed ff_effects_max so it's an unsigned int instead of
a signed int as a cleanup.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
This commit is contained in:
Dan Carpenter
Dmitry Torokhov
parent
341deefe8f
commit
05be8b81aa
3 changed files with 10 additions and 5 deletions
|
|
@ -68,7 +68,7 @@ struct uinput_device {
|
|||
unsigned char head;
|
||||
unsigned char tail;
|
||||
struct input_event buff[UINPUT_BUFFER_SIZE];
|
||||
int ff_effects_max;
|
||||
unsigned int ff_effects_max;
|
||||
|
||||
struct uinput_request *requests[UINPUT_NUM_REQUESTS];
|
||||
wait_queue_head_t requests_waitq;
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue