drivers · c3fdd7d30a36cb393b0a2c09bb693dfa6a3b04a5 · Upstream / linux-stable

An error occurred while fetching folder content.

tty/vt/keyboard: fix OOB access in do_compute_shiftstate()

Dmitry Torokhov authored 9 years ago

commit 510cccb5

 upstream.

The size of individual keymap in drivers/tty/vt/keyboard.c is NR_KEYS,
which is currently 256, whereas number of keys/buttons in input device (and
therefor in key_down) is much larger - KEY_CNT - 768, and that can cause
out-of-bound access when we do

	sym = U(key_maps[0][k]);

with large 'k'.

To fix it we should not attempt iterating beyond smaller of NR_KEYS and
KEY_CNT.

Also while at it let's switch to for_each_set_bit() instead of open-coding
it.
Reported-by: Sasha Levin <sasha.levin@oracle.com>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>

074ed3fd

Name	Last commit	Last update
..
accessibility	vt:tackle kbd_table	13 years ago
acpi	PCI/ACPI: Fix _OSC ordering to allow PCIe hotplug use when available	8 years ago
amba	ARM: 7675/1: amba: tegra-ahb: Fix build error w/ PM_SLEEP w/o PM_RUNTIME	12 years ago
ata	libata: fix HDIO_GET_32BIT ioctl	9 years ago
atm	atm: idt77252: fix dev refcnt leak	11 years ago
auxdisplay	auxdisplay: ks0108: fix refcount	9 years ago
base	base: make module_create_drivers_dir race-free	8 years ago
bcma	bcma: add more core IDs	12 years ago
block	nbd: ratelimit error msgs after socket close	9 years ago
bluetooth	Bluetooth: vhci: purge unhandled skbs	9 years ago
bus	bus: mvebu: pass the coherency availability information at init time	10 years ago
cdrom	drivers/cdrom/cdrom.c: use kzalloc() for failing hardware	11 years ago
char	vTPM: fix memory allocation flag for rtce buffer at kernel boot	9 years ago
clk	clk: versatile: sp810: support reentrance	9 years ago
clocksource	clocksource/drivers/vt8500: Increase the minimum delta	9 years ago
connector	connector: bump skb->users before callback invocation	9 years ago
cpufreq	cpufreq: speedstep-smi: enable interrupts when waiting	10 years ago
cpuidle	cpuidle / menu: Return (-1) if there are no suitable states	9 years ago
crypto	crypto: ux500 - memmove the right size	8 years ago
dca	dca: convert to idr_alloc()	12 years ago
devfreq	Merge branch 'master' into for-next	12 years ago
dio	m68k: don't export static inline functions	15 years ago
dma	dmaengine: mv_xor: bug fix for racing condition in descriptors cleanup	9 years ago
edac	EDAC: i7core, sb_edac: Don't return NOTIFY_BAD from mce_decoder callback	9 years ago
eisa	Revert "EISA: Initialize device before its resources"	11 years ago
extcon
firewire
firmware
gpio
gpu
hid
hsi
hv
hwmon
hwspinlock
i2c
ide
idle
iio
infiniband
input
iommu
ipack
irqchip
isdn
leds
lguest
macintosh
mailbox
md
media
memory
memstick
message
mfd
misc
mmc
mtd
net
nfc
ntb
nubus
of
oprofile
parisc
parport
pci
pcmcia
pinctrl
platform
pnp
power
pps
ps3
ptp
pwm
rapidio
regulator
remoteproc
reset
rpmsg
rtc
s390
sbus
scsi
sfi
sh
sn
spi
ssb
ssbi
staging
target
tc
thermal
tty
uio
usb
uwb
vfio

GitLab

Menu

Download source code

Download this directory