[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <1411996251-13455-1-git-send-email-pali.rohar@gmail.com>
Date: Mon, 29 Sep 2014 15:10:51 +0200
From: Pali Rohár <pali.rohar@...il.com>
To: Matthew Garrett <mjg59@...f.ucam.org>,
Darren Hart <dvhart@...radead.org>
Cc: platform-driver-x86@...r.kernel.org, linux-kernel@...r.kernel.org,
Pali Rohár <pali.rohar@...il.com>
Subject: [PATCH] dell-wmi: Fix access out of memory
Without this patch driver dell-wmi is trying to access elements of dynamically
allocated array without checking array size. This can lead to memory corruption
or kernel panic. This patch adds missing checks for array size.
Signed-off-by: Pali Rohár <pali.rohar@...il.com>
---
This patch should be probably applied to stable kernel trees as it fixing
possible memory corruption.
---
drivers/platform/x86/dell-wmi.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/drivers/platform/x86/dell-wmi.c b/drivers/platform/x86/dell-wmi.c
index 390e8e3..25721bf 100644
--- a/drivers/platform/x86/dell-wmi.c
+++ b/drivers/platform/x86/dell-wmi.c
@@ -163,18 +163,24 @@ static void dell_wmi_notify(u32 value, void *context)
const struct key_entry *key;
int reported_key;
u16 *buffer_entry = (u16 *)obj->buffer.pointer;
+ int buffer_size = obj->buffer.length/2;
- if (dell_new_hk_type && (buffer_entry[1] != 0x10)) {
+ if (buffer_size >= 2 && dell_new_hk_type && buffer_entry[1] != 0x10) {
pr_info("Received unknown WMI event (0x%x)\n",
buffer_entry[1]);
kfree(obj);
return;
}
- if (dell_new_hk_type || buffer_entry[1] == 0x0)
+ if (buffer_size >= 3 && (dell_new_hk_type || buffer_entry[1] == 0x0))
reported_key = (int)buffer_entry[2];
- else
+ else if (buffer_size >= 2)
reported_key = (int)buffer_entry[1] & 0xffff;
+ else {
+ pr_info("Received unknown WMI event\n");
+ kfree(obj);
+ return;
+ }
key = sparse_keymap_entry_from_scancode(dell_wmi_input_dev,
reported_key);
--
1.7.9.5
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists