diff options
author | Pali Rohár <pali.rohar@gmail.com> | 2014-09-29 15:10:51 +0200 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2014-11-21 09:22:55 -0800 |
commit | 2a7978ef959430e21d93a6ab59284a11bc2c9bb6 (patch) | |
tree | 9859a031ff9b4305ff32562f10769a329919046b /drivers | |
parent | a2ad9bef40181939a8b3469a98f33775e4b0a23a (diff) | |
download | lwn-2a7978ef959430e21d93a6ab59284a11bc2c9bb6.tar.gz lwn-2a7978ef959430e21d93a6ab59284a11bc2c9bb6.zip |
dell-wmi: Fix access out of memory
commit a666b6ffbc9b6705a3ced704f52c3fe9ea8bf959 upstream.
Without this patch, dell-wmi is trying to access elements of dynamically
allocated array without checking the array size. This can lead to memory
corruption or a kernel panic. This patch adds the missing checks for
array size.
Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
Signed-off-by: Darren Hart <dvhart@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/platform/x86/dell-wmi.c | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/drivers/platform/x86/dell-wmi.c b/drivers/platform/x86/dell-wmi.c index fa9a2171cc13..b264d8fe1908 100644 --- a/drivers/platform/x86/dell-wmi.c +++ b/drivers/platform/x86/dell-wmi.c @@ -163,18 +163,24 @@ static void dell_wmi_notify(u32 value, void *context) const struct key_entry *key; int reported_key; u16 *buffer_entry = (u16 *)obj->buffer.pointer; + int buffer_size = obj->buffer.length/2; - if (dell_new_hk_type && (buffer_entry[1] != 0x10)) { + if (buffer_size >= 2 && dell_new_hk_type && buffer_entry[1] != 0x10) { pr_info("Received unknown WMI event (0x%x)\n", buffer_entry[1]); kfree(obj); return; } - if (dell_new_hk_type || buffer_entry[1] == 0x0) + if (buffer_size >= 3 && (dell_new_hk_type || buffer_entry[1] == 0x0)) reported_key = (int)buffer_entry[2]; - else + else if (buffer_size >= 2) reported_key = (int)buffer_entry[1] & 0xffff; + else { + pr_info("Received unknown WMI event\n"); + kfree(obj); + return; + } key = sparse_keymap_entry_from_scancode(dell_wmi_input_dev, reported_key); |