Skip to content

Commit 206f533

Browse files
committed
Input: uinput - reject requests with unreasonable number of slots
From: Dmitry Torokhov <[email protected]> When exercising uinput interface syzkaller may try setting up device with a really large number of slots, which causes memory allocation failure in input_mt_init_slots(). While this allocation failure is handled properly and request is rejected, it results in syzkaller reports. Additionally, such request may put undue burden on the system which will try to free a lot of memory for a bogus request. Fix it by limiting allowed number of slots to 100. This can easily be extended if we see devices that can track more than 100 contacts. Reported-by: Tetsuo Handa <[email protected]> Reported-by: syzbot <[email protected]> Closes: https://syzkaller.appspot.com/bug?extid=0122fa359a69694395d5 Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Dmitry Torokhov <[email protected]>
1 parent fc289d3 commit 206f533

File tree

1 file changed

+14
-0
lines changed

1 file changed

+14
-0
lines changed

drivers/input/misc/uinput.c

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -417,6 +417,20 @@ static int uinput_validate_absinfo(struct input_dev *dev, unsigned int code,
417417
return -EINVAL;
418418
}
419419

420+
/*
421+
* Limit number of contacts to a reasonable value (100). This
422+
* ensures that we need less than 2 pages for struct input_mt
423+
* (we are not using in-kernel slot assignment so not going to
424+
* allocate memory for the "red" table), and we should have no
425+
* trouble getting this much memory.
426+
*/
427+
if (code == ABS_MT_SLOT && max > 99) {
428+
printk(KERN_DEBUG
429+
"%s: unreasonably large number of slots requested: %d\n",
430+
UINPUT_NAME, max);
431+
return -EINVAL;
432+
}
433+
420434
return 0;
421435
}
422436

0 commit comments

Comments
 (0)