evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_oneplus_msm8998/drivers/tty
History
Dmitry Torokhov 7d091e02c9 tty/vt/keyboard: fix OOB access in do_compute_shiftstate() 
commit 510cccb5b0c8868a2b302a0ab524da7912da648b upstream.

The size of individual keymap in drivers/tty/vt/keyboard.c is NR_KEYS,
which is currently 256, whereas number of keys/buttons in input device (and
therefor in key_down) is much larger - KEY_CNT - 768, and that can cause
out-of-bound access when we do

	sym = U(key_maps[0][k]);

with large 'k'.

To fix it we should not attempt iterating beyond smaller of NR_KEYS and
KEY_CNT.

Also while at it let's switch to for_each_set_bit() instead of open-coding
it.

Reported-by: Sasha Levin <sasha.levin@oracle.com>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-07-27 09:47:37 -07:00
..
hvc TTY/Serial driver patches for 4.4-rc1 2015-11-04 21:35:12 -08:00
ipwireless
serial QE-UART: add "fsl,t1040-ucc-uart" to of_device_id 2016-06-07 18:14:35 -07:00
vt tty/vt/keyboard: fix OOB access in do_compute_shiftstate() 2016-07-27 09:47:37 -07:00
amiserial.c tty: amiserial.c: move assignment out of if () block 2015-05-10 19:04:16 +02:00
bfin_jtag_comm.c
cyclades.c tty: Remove ASYNC_CLOSING checks in open()/hangup() methods 2015-10-17 21:11:29 -07:00
ehv_bytechan.c
goldfish.c staging: goldfish: Fix pointer cast for 32 bits 2015-05-31 11:40:14 +09:00
isicom.c
Kconfig
Makefile
metag_da.c tty/metag_da: Avoid module_init/module_exit in non-modular code 2015-06-16 14:12:31 -04:00
mips_ejtag_fdc.c ttyFDC: Fix build problems due to use of module_{init,exit} 2015-10-17 21:29:21 -07:00
moxa.c
moxa.h
mxser.c
mxser.h
n_gsm.c TTY: n_gsm, fix false positive WARN_ON 2016-06-01 12:15:52 -07:00
n_hdlc.c Fix OpenSSH pty regression on close 2016-06-01 12:15:52 -07:00
n_r3964.c tty: r3964: Replace/remove bogus tty lock use 2015-10-17 21:11:29 -07:00
n_tracerouter.c n_tracerouter: stop including <asm-generic/bug> 2015-10-15 00:21:10 +02:00
n_tracesink.c n_tracesink: stop including <asm-generic/bug> 2015-10-15 00:21:11 +02:00
n_tracesink.h
n_tty.c Fix OpenSSH pty regression on close 2016-06-01 12:15:52 -07:00
nozomi.c drivers/tty/nozomi.c: rename CONFIG_MAGIC 2015-05-10 19:19:06 +02:00
pty.c Fix OpenSSH pty regression on close 2016-06-01 12:15:52 -07:00
rocket.c tty: Remove tty_port::close_wait 2015-10-17 21:11:29 -07:00
rocket.h tty: rocket: fix comment of ROCKET_SPD_HI 2015-05-24 12:49:16 -07:00
rocket_int.h
synclink.c tty: synclink, fix indentation 2015-10-17 21:14:06 -07:00
synclink_gt.c tty: Remove ASYNC_CLOSING checks in open()/hangup() methods 2015-10-17 21:11:29 -07:00
synclinkmp.c tty: Remove ASYNC_CLOSING checks in open()/hangup() methods 2015-10-17 21:11:29 -07:00
sysrq.c drivers/tty: make sysrq.c slightly more explicitly non-modular 2015-10-04 17:27:56 +01:00
tty_audit.c tty: audit: Fix audit source 2015-11-20 16:19:54 -08:00
tty_buffer.c Fix OpenSSH pty regression on close 2016-06-01 12:15:52 -07:00
tty_io.c tty: Fix unsafe ldisc reference via ioctl(TIOCGETD) 2016-02-17 12:31:02 -08:00
tty_ioctl.c tty: Fix tty_send_xchar() lock order inversion 2015-11-20 16:19:54 -08:00
tty_ldisc.c tty: Fix direct use of tty buffer work 2015-11-20 16:19:54 -08:00
tty_ldsem.c tty: tty_ldsem.c: move assignment out of if () block 2015-05-10 19:04:18 +02:00
tty_mutex.c tty: Wait interruptibly for tty lock on reopen 2016-02-17 12:31:02 -08:00
tty_port.c tty: Abstract tty buffer work 2015-10-17 21:32:21 -07:00