Commit daf6cd0c authored Dec 18, 2015 by Elias Vanderstuyft Committed by Dmitry Torokhov Dec 18, 2015

Input: uinput - sanity check on ff_effects_max and EV_FF



Currently the user can set ff_effects_max to zero with the EV_FF bit (and
the FF_GAIN and/or FF_AUTOCENTER bits) set, in this case the uninitialized
methods ff->set_gain and/or ff->set_autocenter can be dereferenced,
resulting in a kernel oops.

Check in uinput_create_device() and print a helpful message and return
-EINVAL in case the check fails.

Signed-off-by: Elias Vanderstuyft <elias.vds@gmail.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>

parent fbae10db

drivers/input/misc/uinput.c

+7 −0

Original line number	Diff line number	Diff line
		@@ -272,6 +272,13 @@ static int uinput_create_device(struct uinput_device *udev)
		input_set_events_per_packet(dev, 60);
		}

		if (test_bit(EV_FF, dev->evbit) && !udev->ff_effects_max) {
		printk(KERN_DEBUG "%s: ff_effects_max should be non-zero when FF_BIT is set\n",
		UINPUT_NAME);
		error = -EINVAL;
		goto fail1;
		}

		if (udev->ff_effects_max) {
		error = input_ff_create(dev, udev->ff_effects_max);
		if (error)