UbiquitousOS
/
OpenCloudOS-Kernel
mirror of https://gitee.com/OpenCloudOS/OpenCloudOS-Kernel.git
11
0
Fork 0
Code Issues Projects Releases Wiki Activity

dell-wmi: Fix access out of memory 

Without this patch, dell-wmi is trying to access elements of dynamically
allocated array without checking the array size. This can lead to memory
corruption or a kernel panic. This patch adds the missing checks for
array size.

Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
Signed-off-by: Darren Hart <dvhart@linux.intel.com>
This commit is contained in:
Pali Rohár 2014-09-29 15:10:51 +02:00 committed by Darren Hart
parent 557b454971
commit a666b6ffbc
1 changed files with 9 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
drivers/platform/x86/dell-wmi.c
View File

@ -163,18 +163,24 @@ static void dell_wmi_notify(u32 value, void *context)
const struct key_entry *key;
int reported_key;
u16 *buffer_entry = (u16 *)obj->buffer.pointer;
int buffer_size = obj->buffer.length/2;
if (dell_new_hk_type && (buffer_entry[1] != 0x10)) {
if (buffer_size >= 2 && dell_new_hk_type && buffer_entry[1] != 0x10) {
pr_info("Received unknown WMI event (0x%x)\n",
buffer_entry[1]);
kfree(obj);
return;
}
if (dell_new_hk_type || buffer_entry[1] == 0x0)
if (buffer_size >= 3 && (dell_new_hk_type || buffer_entry[1] == 0x0))
reported_key = (int)buffer_entry[2];
else
else if (buffer_size >= 2)
reported_key = (int)buffer_entry[1] & 0xffff;
else {
pr_info("Received unknown WMI event\n");
kfree(obj);
return;
}
key = sparse_keymap_entry_from_scancode(dell_wmi_input_dev,
reported_key);