Input: joydev - prevent potential read overflow in ioctl

The problem here is that "len" might be less than "joydev->nabs" so the
loops which verfy abspam[i] and keypam[] might read beyond the buffer.

Fixes: 999b874f4aa3 ("Input: joydev - validate axis/button maps before clobbering current ones")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/YCyzR8WvFRw4HWw6@mwanda
[dtor: additional check for len being even in joydev_handle_JSIOCSBTNMAP]
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>

diff --git a/drivers/input/joydev.c b/drivers/input/joydev.c
index a2b5fbba2d3b3983a875709a7a8b86839949816b..430dc69750048a88105551979b8e1640e9cf07ac 100644 (file)
--- a/drivers/input/joydev.c
+++ b/drivers/input/joydev.c
@@ -456,7 +456,7 @@ static int joydev_handle_JSIOCSAXMAP(struct joydev *joydev,
        if (IS_ERR(abspam))
                return PTR_ERR(abspam);
 
-       for (i = 0; i < joydev->nabs; i++) {
+       for (i = 0; i < len && i < joydev->nabs; i++) {
                if (abspam[i] > ABS_MAX) {
                        retval = -EINVAL;
                        goto out;
@@ -480,6 +480,9 @@ static int joydev_handle_JSIOCSBTNMAP(struct joydev *joydev,
        int i;
        int retval = 0;
 
+       if (len % sizeof(*keypam))
+               return -EINVAL;
+
        len = min(len, sizeof(joydev->keypam));
 
        /* Validate the map. */
@@ -487,7 +490,7 @@ static int joydev_handle_JSIOCSBTNMAP(struct joydev *joydev,
        if (IS_ERR(keypam))
                return PTR_ERR(keypam);
 
-       for (i = 0; i < joydev->nkey; i++) {
+       for (i = 0; i < (len / 2) && i < joydev->nkey; i++) {
                if (keypam[i] > KEY_MAX || keypam[i] < BTN_MISC) {
                        retval = -EINVAL;
                        goto out;