• Dmitry Torokhov's avatar
    vt: keyboard: avoid signed integer overflow in k_ascii · b86dab05
    Dmitry Torokhov authored
    When k_ascii is invoked several times in a row there is a potential for
    signed integer overflow:
    
    UBSAN: Undefined behaviour in drivers/tty/vt/keyboard.c:888:19 signed integer overflow:
    10 * 1111111111 cannot be represented in type 'int'
    CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.11 #1
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
    Call Trace:
     <IRQ>
     __dump_stack lib/dump_stack.c:77 [inline]
     dump_stack+0xce/0x128 lib/dump_stack.c:118
     ubsan_epilogue+0xe/0x30 lib/ubsan.c:154
     handle_overflow+0xdc/0xf0 lib/ubsan.c:184
     __ubsan_handle_mul_overflow+0x2a/0x40 lib/ubsan.c:205
     k_ascii+0xbf/0xd0 drivers/tty/vt/keyboard.c:888
     kbd_keycode drivers/tty/vt/keyboard.c:1477 [inline]
     kbd_event+0x888/0x3be0 drivers/tty/vt/keyboard.c:1495
    
    While it can be worked around by using check_mul_overflow()/
    check_add_overflow(), it is better to introduce a separate flag to
    signal that number pad is being used to compose a symbol, and
    change type of the accumulator from signed to unsigned, thus
    avoiding undefined behavior when it overflows.
    Reported-by: default avatarKyungtae Kim <kt0755@gmail.com>
    Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
    Cc: stable <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20200525232740.GA262061@dtor-wsSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    b86dab05
keyboard.c 53.3 KB