From owner-svn-src-user@FreeBSD.ORG  Sun Apr 19 10:47:56 2015
Return-Path: <owner-svn-src-user@FreeBSD.ORG>
Delivered-To: svn-src-user@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 85A3F368;
 Sun, 19 Apr 2015 10:47:56 +0000 (UTC)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 67387980;
 Sun, 19 Apr 2015 10:47:56 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id t3JAluKN048456;
 Sun, 19 Apr 2015 10:47:56 GMT (envelope-from jceel@FreeBSD.org)
Received: (from jceel@localhost)
 by svn.freebsd.org (8.14.9/8.14.9/Submit) id t3JAlu5Q048451;
 Sun, 19 Apr 2015 10:47:56 GMT (envelope-from jceel@FreeBSD.org)
Message-Id: <201504191047.t3JAlu5Q048451@svn.freebsd.org>
X-Authentication-Warning: svn.freebsd.org: jceel set sender to
 jceel@FreeBSD.org using -f
From: Jakub Wojciech Klama <jceel@FreeBSD.org>
Date: Sun, 19 Apr 2015 10:47:55 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-user@freebsd.org
Subject: svn commit: r281737 - user/jceel/soc2014_evdev/head/sys/dev/evdev
X-SVN-Group: user
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-user@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "SVN commit messages for the experimental &quot; user&quot;
 src tree" <svn-src-user.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-user>,
 <mailto:svn-src-user-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-user/>
List-Post: <mailto:svn-src-user@freebsd.org>
List-Help: <mailto:svn-src-user-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-user>,
 <mailto:svn-src-user-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Apr 2015 10:47:56 -0000

Author: jceel
Date: Sun Apr 19 10:47:55 2015
New Revision: 281737
URL: https://svnweb.freebsd.org/changeset/base/281737

Log:
  Add event checks to evdev_push_event() to prevent overwriting event
  state arrays by potentially malicious uinput provider.

Modified:
  user/jceel/soc2014_evdev/head/sys/dev/evdev/evdev.c
  user/jceel/soc2014_evdev/head/sys/dev/evdev/uinput.c

Modified: user/jceel/soc2014_evdev/head/sys/dev/evdev/evdev.c
==============================================================================
--- user/jceel/soc2014_evdev/head/sys/dev/evdev/evdev.c	Sun Apr 19 09:35:46 2015	(r281736)
+++ user/jceel/soc2014_evdev/head/sys/dev/evdev/evdev.c	Sun Apr 19 10:47:55 2015	(r281737)
@@ -60,6 +60,7 @@ static void evdev_assign_id(struct evdev
 static void evdev_start_repeat(struct evdev_dev *, int32_t);
 static void evdev_stop_repeat(struct evdev_dev *);
 #endif
+static int evdev_check_event(struct evdev_dev *, uint16_t, uint16_t, int32_t);
 static void evdev_client_push(struct evdev_client *, uint16_t, uint16_t,
     int32_t);
 
@@ -270,6 +271,37 @@ evdev_set_repeat_params(struct evdev_dev
 	evdev->ev_rep[property] = value;
 }
 
+static int
+evdev_check_event(struct evdev_dev *evdev, uint16_t type, uint16_t code,
+    int32_t value)
+{
+
+	if (type == EV_KEY) {
+		if (code >= KEY_CNT)
+			return (EINVAL);
+	} else if (type == EV_REL) {
+		if (code >= REL_CNT)
+			return (EINVAL);
+	} else if (type == EV_ABS) {
+		if (code >= ABS_CNT)
+			return (EINVAL);
+	} else if (type == EV_MSC) {
+		if (code >= MSC_CNT)
+			return (EINVAL);
+	} else if (type == EV_LED) {
+		if (code >= LED_CNT)
+			return (EINVAL);
+	} else if (type == EV_SND) {
+		if (code >= SND_CNT)
+			return (EINVAL);
+	} else if (type == EV_SW) {
+		if (code >= SW_CNT)
+			return (EINVAL);
+	} else
+		return (EINVAL);
+
+	return (0);
+}
 
 int
 evdev_push_event(struct evdev_dev *evdev, uint16_t type, uint16_t code,
@@ -277,6 +309,9 @@ evdev_push_event(struct evdev_dev *evdev
 {
 	struct evdev_client *client;
 
+	if (evdev_check_event(evdev, type, code, value) != 0)
+		return (EINVAL);
+
 	debugf("%s pushed event %d/%d/%d",
 	    evdev->ev_shortname, type, code, value);
 

Modified: user/jceel/soc2014_evdev/head/sys/dev/evdev/uinput.c
==============================================================================
--- user/jceel/soc2014_evdev/head/sys/dev/evdev/uinput.c	Sun Apr 19 09:35:46 2015	(r281736)
+++ user/jceel/soc2014_evdev/head/sys/dev/evdev/uinput.c	Sun Apr 19 10:47:55 2015	(r281737)
@@ -87,7 +87,6 @@ struct uinput_cdev_state
 {
 	bool			ucs_connected;
 	struct evdev_dev *	ucs_evdev;
-	struct evdev_dev	ucs_state;
 	struct mtx		ucs_mtx;
 };
 
@@ -181,8 +180,11 @@ uinput_write(struct cdev *dev, struct ui
 
 		while (uio->uio_resid > 0) {
 			uiomove(&event, sizeof(struct input_event), uio);
-			evdev_push_event(state->ucs_evdev, event.type, event.code,
+			ret = evdev_push_event(state->ucs_evdev, event.type, event.code,
 			    event.value);
+
+			if (ret != 0)
+				return (ret);
 		}
 	}