git.proxmox.com Git - mirror_ubuntu-focal-kernel.git/commit

author	Marc Zyngier <maz@kernel.org>
	Tue, 1 Sep 2020 09:52:33 +0000 (10:52 +0100)
committer	Kelsey Skunberg <kelsey.skunberg@canonical.com>
	Thu, 17 Sep 2020 06:47:01 +0000 (00:47 -0600)
commit	71ba6c0a4afe5769d3bf83bde5be813f4a2d7d85
tree	8a9a171288d0b08cc338f045e7668fbba48f6a63	tree
parent	71ab97200fbabb89e54e83a3736847620a31d18d	commit \| diff

HID: core: Sanitize event code and type when mapping input

BugLink: https://bugs.launchpad.net/bugs/1895879
commit 35556bed836f8dc07ac55f69c8d17dce3e7f0e25 upstream.

When calling into hid_map_usage(), the passed event code is
blindly stored as is, even if it doesn't fit in the associated bitmap.

This event code can come from a variety of sources, including devices
masquerading as input devices, only a bit more "programmable".

Instead of taking the event code at face value, check that it actually
fits the corresponding bitmap, and if it doesn't:
- spit out a warning so that we know which device is acting up
- NULLify the bitmap pointer so that we catch unexpected uses

Code paths that can make use of untrusted inputs can now check
that the mapping was indeed correct and bail out if not.

Cc: stable@vger.kernel.org
Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: William Breathitt Gray <william.gray@canonical.com>
Signed-off-by: Kelsey Skunberg <kelsey.skunberg@canonical.com>

drivers/hid/hid-input.c		diff \| blob \| blame \| history
drivers/hid/hid-multitouch.c		diff \| blob \| blame \| history
include/linux/hid.h		diff \| blob \| blame \| history