summaryrefslogtreecommitdiff
path: root/drivers
diff options
context:
space:
mode:
authorPali Rohár <pali.rohar@gmail.com>2014-09-29 15:10:51 +0200
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2014-11-21 09:22:55 -0800
commit2a7978ef959430e21d93a6ab59284a11bc2c9bb6 (patch)
tree9859a031ff9b4305ff32562f10769a329919046b /drivers
parenta2ad9bef40181939a8b3469a98f33775e4b0a23a (diff)
downloadlwn-2a7978ef959430e21d93a6ab59284a11bc2c9bb6.tar.gz
lwn-2a7978ef959430e21d93a6ab59284a11bc2c9bb6.zip
dell-wmi: Fix access out of memory
commit a666b6ffbc9b6705a3ced704f52c3fe9ea8bf959 upstream. Without this patch, dell-wmi is trying to access elements of dynamically allocated array without checking the array size. This can lead to memory corruption or a kernel panic. This patch adds the missing checks for array size. Signed-off-by: Pali Rohár <pali.rohar@gmail.com> Signed-off-by: Darren Hart <dvhart@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/platform/x86/dell-wmi.c12
1 files changed, 9 insertions, 3 deletions
diff --git a/drivers/platform/x86/dell-wmi.c b/drivers/platform/x86/dell-wmi.c
index fa9a2171cc13..b264d8fe1908 100644
--- a/drivers/platform/x86/dell-wmi.c
+++ b/drivers/platform/x86/dell-wmi.c
@@ -163,18 +163,24 @@ static void dell_wmi_notify(u32 value, void *context)
const struct key_entry *key;
int reported_key;
u16 *buffer_entry = (u16 *)obj->buffer.pointer;
+ int buffer_size = obj->buffer.length/2;
- if (dell_new_hk_type && (buffer_entry[1] != 0x10)) {
+ if (buffer_size >= 2 && dell_new_hk_type && buffer_entry[1] != 0x10) {
pr_info("Received unknown WMI event (0x%x)\n",
buffer_entry[1]);
kfree(obj);
return;
}
- if (dell_new_hk_type || buffer_entry[1] == 0x0)
+ if (buffer_size >= 3 && (dell_new_hk_type || buffer_entry[1] == 0x0))
reported_key = (int)buffer_entry[2];
- else
+ else if (buffer_size >= 2)
reported_key = (int)buffer_entry[1] & 0xffff;
+ else {
+ pr_info("Received unknown WMI event\n");
+ kfree(obj);
+ return;
+ }
key = sparse_keymap_entry_from_scancode(dell_wmi_input_dev,
reported_key);