git.cascardo.info Git - cascardo/linux.git/commit

author	Dan Carpenter <dan.carpenter@oracle.com>
	Thu, 13 Oct 2011 04:05:53 +0000 (21:05 -0700)
committer	Dmitry Torokhov <dmitry.torokhov@gmail.com>
	Thu, 13 Oct 2011 04:13:11 +0000 (21:13 -0700)
commit	05be8b81aafd4f95106a91ff3fd8581fa984fad9
tree	d34da61ab5fa18f5fb57b0342a1e3871aedb36bc	tree \| snapshot
parent	341deefe8f4584b09564193cb46d8cf386f491a5	commit \| diff

Input: force feedback - potential integer wrap in input_ff_create()

The problem here is that max_effects can wrap on 32 bits systems.
We'd allocate a smaller amount of data than sizeof(struct ff_device).
The call to kcalloc() on the next line would fail but it would write
the NULL return outside of the memory we just allocated causing data
corruption.

The call path is that uinput_setup_device() get ->ff_effects_max from
the user and sets the value in the ->private_data struct.  From there
it is:
-> uinput_ioctl_handler()
   -> uinput_create_device()
      -> input_ff_create(dev, udev->ff_effects_max);

I've also changed ff_effects_max so it's an unsigned int instead of
a signed int as a cleanup.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>

drivers/input/ff-core.c		diff \| blob \| history
include/linux/input.h		diff \| blob \| history
include/linux/uinput.h		diff \| blob \| history