diff options
author | Pali Rohár <pali.rohar@gmail.com> | 2014-09-29 15:10:51 +0200 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2014-11-21 09:23:05 -0800 |
commit | d07dd9bce7b90980393cecd372b08600e0f345de (patch) | |
tree | dffbac556420f097ff7cc72e5aa037bb192119fd | |
parent | 42d49f4525661181162386eea643275a5de10b59 (diff) | |
download | kernel-common-d07dd9bce7b90980393cecd372b08600e0f345de.tar.gz kernel-common-d07dd9bce7b90980393cecd372b08600e0f345de.tar.bz2 kernel-common-d07dd9bce7b90980393cecd372b08600e0f345de.zip |
dell-wmi: Fix access out of memory
commit a666b6ffbc9b6705a3ced704f52c3fe9ea8bf959 upstream.
Without this patch, dell-wmi is trying to access elements of dynamically
allocated array without checking the array size. This can lead to memory
corruption or a kernel panic. This patch adds the missing checks for
array size.
Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
Signed-off-by: Darren Hart <dvhart@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r-- | drivers/platform/x86/dell-wmi.c | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/drivers/platform/x86/dell-wmi.c b/drivers/platform/x86/dell-wmi.c index 390e8e33d5e3..25721bf20092 100644 --- a/drivers/platform/x86/dell-wmi.c +++ b/drivers/platform/x86/dell-wmi.c @@ -163,18 +163,24 @@ static void dell_wmi_notify(u32 value, void *context) const struct key_entry *key; int reported_key; u16 *buffer_entry = (u16 *)obj->buffer.pointer; + int buffer_size = obj->buffer.length/2; - if (dell_new_hk_type && (buffer_entry[1] != 0x10)) { + if (buffer_size >= 2 && dell_new_hk_type && buffer_entry[1] != 0x10) { pr_info("Received unknown WMI event (0x%x)\n", buffer_entry[1]); kfree(obj); return; } - if (dell_new_hk_type || buffer_entry[1] == 0x0) + if (buffer_size >= 3 && (dell_new_hk_type || buffer_entry[1] == 0x0)) reported_key = (int)buffer_entry[2]; - else + else if (buffer_size >= 2) reported_key = (int)buffer_entry[1] & 0xffff; + else { + pr_info("Received unknown WMI event\n"); + kfree(obj); + return; + } key = sparse_keymap_entry_from_scancode(dell_wmi_input_dev, reported_key); |