evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_oneplus_msm8998/drivers/tty/vt
History
Dmitry Torokhov 7d091e02c9 tty/vt/keyboard: fix OOB access in do_compute_shiftstate() 
commit 510cccb5b0c8868a2b302a0ab524da7912da648b upstream.

The size of individual keymap in drivers/tty/vt/keyboard.c is NR_KEYS,
which is currently 256, whereas number of keys/buttons in input device (and
therefor in key_down) is much larger - KEY_CNT - 768, and that can cause
out-of-bound access when we do

	sym = U(key_maps[0][k]);

with large 'k'.

To fix it we should not attempt iterating beyond smaller of NR_KEYS and
KEY_CNT.

Also while at it let's switch to for_each_set_bit() instead of open-coding
it.

Reported-by: Sasha Levin <sasha.levin@oracle.com>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-07-27 09:47:37 -07:00
..
.gitignore
consolemap.c tty: consolemap.c: move assignment out of if () block 2015-05-10 19:04:16 +02:00
cp437.uni
defkeymap.c_shipped
defkeymap.map
keyboard.c tty/vt/keyboard: fix OOB access in do_compute_shiftstate() 2016-07-27 09:47:37 -07:00
Makefile tty: vt/Makefile: set the variables to static 2013-01-15 21:52:24 -08:00
selection.c tty: vt: Fix !TASK_RUNNING diagnostic warning from paste_selection() 2015-07-23 18:08:29 -07:00
vc_screen.c vc: switch to fixed_size_llseek() 2013-06-29 12:57:30 +04:00
vt.c tty: vt: Fix soft lockup in fbcon cursor blink timer. 2016-07-27 09:47:37 -07:00
vt_ioctl.c vt: vt_ioctl: use msecs_to_jiffies for time conversion 2015-03-07 04:02:26 +01:00