From 95f51a3d9cba14f14d3846ccc113cf24b61adf69 Mon Sep 17 00:00:00 2001 From: Mark Salyzyn Date: Wed, 9 May 2018 12:23:28 -0700 Subject: [PATCH] Revert "ANDROID: input: keychord: Fix a slab out-of-bounds read." This reverts commit 92fc7f9aa0298cc112b2893e4e0bcf522f2659a8. Remove keychord driver, replaced in user space by https://android-review.googlesource.com/c/677629. Signed-off-by: Mark Salyzyn Cc: Amit Pundir Bug: 64114943 Bug: 63962952 Bug: 129556081 Change-Id: I0a652b72b0ee62974c408ffb0987cc2ef9e346c1 --- drivers/input/misc/keychord.c | 28 ++++++---------------------- 1 file changed, 6 insertions(+), 22 deletions(-) diff --git a/drivers/input/misc/keychord.c b/drivers/input/misc/keychord.c index 4e0f7daeada6..8ed8a2738ea1 100644 --- a/drivers/input/misc/keychord.c +++ b/drivers/input/misc/keychord.c @@ -232,11 +232,9 @@ static ssize_t keychord_write(struct file *file, const char __user *buffer, { struct keychord_device *kdev = file->private_data; struct input_keychord *keychords = 0; - struct input_keychord *keychord; + struct input_keychord *keychord, *next, *end; int ret, i, key; unsigned long flags; - size_t resid = count; - size_t key_bytes; if (count < sizeof(struct input_keychord) || count > PAGE_SIZE) return -EINVAL; @@ -267,29 +265,15 @@ static ssize_t keychord_write(struct file *file, const char __user *buffer, kdev->head = kdev->tail = 0; keychord = keychords; + end = (struct input_keychord *)((char *)keychord + count); - while (resid > 0) { - /* Is the entire keychord entry header present ? */ - if (resid < sizeof(struct input_keychord)) { - pr_err("keychord: Insufficient bytes present for header %zu\n", - resid); - goto err_unlock_return; - } - resid -= sizeof(struct input_keychord); - if (keychord->count <= 0) { + while (keychord < end) { + next = NEXT_KEYCHORD(keychord); + if (keychord->count <= 0 || next > end) { pr_err("keychord: invalid keycode count %d\n", keychord->count); goto err_unlock_return; } - key_bytes = keychord->count * sizeof(keychord->keycodes[0]); - /* Do we have all the expected keycodes ? */ - if (resid < key_bytes) { - pr_err("keychord: Insufficient bytes present for keycount %zu\n", - resid); - goto err_unlock_return; - } - resid -= key_bytes; - if (keychord->version != KEYCHORD_VERSION) { pr_err("keychord: unsupported version %d\n", keychord->version); @@ -308,7 +292,7 @@ static ssize_t keychord_write(struct file *file, const char __user *buffer, } kdev->keychord_count++; - keychord = NEXT_KEYCHORD(keychord); + keychord = next; } kdev->keychords = keychords; -- 2.20.1