ANDROID: input: keychord: Fix a slab out-of-bounds read. (92fc7f9a) · Commits · e / devices / android_kernel_oneplus_sm8150

drivers/input/misc/keychord.c

+22 −6

Original line number	Diff line number	Diff line
		@@ -232,9 +232,11 @@ static ssize_t keychord_write(struct file file, const char __user buffer,
		{
		struct keychord_device *kdev = file->private_data;
		struct input_keychord *keychords = 0;
		struct input_keychord keychord, next, *end;
		struct input_keychord *keychord;
		int ret, i, key;
		unsigned long flags;
		size_t resid = count;
		size_t key_bytes;

		if (count < sizeof(struct input_keychord))
		return -EINVAL;
		@@ -265,15 +267,29 @@ static ssize_t keychord_write(struct file file, const char __user buffer,
		kdev->head = kdev->tail = 0;

		keychord = keychords;
		end = (struct input_keychord )((char )keychord + count);

		while (keychord < end) {
		next = NEXT_KEYCHORD(keychord);
		if (keychord->count <= 0 \|\| next > end) {
		while (resid > 0) {
		/* Is the entire keychord entry header present ? */
		if (resid < sizeof(struct input_keychord)) {
		pr_err("keychord: Insufficient bytes present for header %zu\n",
		resid);
		goto err_unlock_return;
		}
		resid -= sizeof(struct input_keychord);
		if (keychord->count <= 0) {
		pr_err("keychord: invalid keycode count %d\n",
		keychord->count);
		goto err_unlock_return;
		}
		key_bytes = keychord->count * sizeof(keychord->keycodes[0]);
		/* Do we have all the expected keycodes ? */
		if (resid < key_bytes) {
		pr_err("keychord: Insufficient bytes present for keycount %zu\n",
		resid);
		goto err_unlock_return;
		}
		resid -= key_bytes;

		if (keychord->version != KEYCHORD_VERSION) {
		pr_err("keychord: unsupported version %d\n",
		keychord->version);
		@@ -292,7 +308,7 @@ static ssize_t keychord_write(struct file file, const char __user buffer,
		}

		kdev->keychord_count++;
		keychord = next;
		keychord = NEXT_KEYCHORD(keychord);
		}

		kdev->keychords = keychords;