Revert "ANDROID: input: keychord: Fix a slab out-of-bounds read."

This reverts commit 92fc7f9aa0298cc112b2893e4e0bcf522f2659a8.

Remove keychord driver, replaced in user space by
https://android-review.googlesource.com/c/677629.

Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Cc: Amit Pundir <amit.pundir@linaro.org>
Bug: 64114943
Bug: 63962952
Bug: 129556081
Change-Id: I0a652b72b0ee62974c408ffb0987cc2ef9e346c1

diff --git a/drivers/input/misc/keychord.c b/drivers/input/misc/keychord.c
index 4e0f7daeada63f0859793a1a0dd3bc3ec45feaab..8ed8a2738ea15e7286990e92e706238d057b9870 100644 (file)
--- a/drivers/input/misc/keychord.c
+++ b/drivers/input/misc/keychord.c
@@ -232,11 +232,9 @@ static ssize_t keychord_write(struct file *file, const char __user *buffer,
 {
        struct keychord_device *kdev = file->private_data;
        struct input_keychord *keychords = 0;
-       struct input_keychord *keychord;
+       struct input_keychord *keychord, *next, *end;
        int ret, i, key;
        unsigned long flags;
-       size_t resid = count;
-       size_t key_bytes;
 
        if (count < sizeof(struct input_keychord) || count > PAGE_SIZE)
                return -EINVAL;
@@ -267,29 +265,15 @@ static ssize_t keychord_write(struct file *file, const char __user *buffer,
        kdev->head = kdev->tail = 0;
 
        keychord = keychords;
+       end = (struct input_keychord *)((char *)keychord + count);
 
-       while (resid > 0) {
-               /* Is the entire keychord entry header present ? */
-               if (resid < sizeof(struct input_keychord)) {
-                       pr_err("keychord: Insufficient bytes present for header %zu\n",
-                              resid);
-                       goto err_unlock_return;
-               }
-               resid -= sizeof(struct input_keychord);
-               if (keychord->count <= 0) {
+       while (keychord < end) {
+               next = NEXT_KEYCHORD(keychord);
+               if (keychord->count <= 0 || next > end) {
                        pr_err("keychord: invalid keycode count %d\n",
                                keychord->count);
                        goto err_unlock_return;
                }
-               key_bytes = keychord->count * sizeof(keychord->keycodes[0]);
-               /* Do we have all the expected keycodes ? */
-               if (resid < key_bytes) {
-                       pr_err("keychord: Insufficient bytes present for keycount %zu\n",
-                              resid);
-                       goto err_unlock_return;
-               }
-               resid -= key_bytes;
-
                if (keychord->version != KEYCHORD_VERSION) {
                        pr_err("keychord: unsupported version %d\n",
                                keychord->version);
@@ -308,7 +292,7 @@ static ssize_t keychord_write(struct file *file, const char __user *buffer,
                }
 
                kdev->keychord_count++;
-               keychord = NEXT_KEYCHORD(keychord);
+               keychord = next;
        }
 
        kdev->keychords = keychords;