On Monday, September 29, 2014 02:30:29 PM Darren Hart wrote: > On Mon, Sep 29, 2014 at 03:10:51PM +0200, Pali Rohár wrote: > > Without this patch driver dell-wmi is trying to access elements of dynamically > > allocated array without checking array size. This can lead to memory corruption > > or kernel panic. This patch adds missing checks for array size. > > > > Signed-off-by: Pali Rohár <pali.rohar@xxxxxxxxx> > > Looks good to me. Rafael, any concerns? Not anything obvious. > > Cc: linux-acpi Thanks! > > --- > > This patch should be probably applied to stable kernel trees as it fixing > > possible memory corruption. > > --- > > drivers/platform/x86/dell-wmi.c | 12 +++++++++--- > > 1 file changed, 9 insertions(+), 3 deletions(-) > > > > diff --git a/drivers/platform/x86/dell-wmi.c b/drivers/platform/x86/dell-wmi.c > > index 390e8e3..25721bf 100644 > > --- a/drivers/platform/x86/dell-wmi.c > > +++ b/drivers/platform/x86/dell-wmi.c > > @@ -163,18 +163,24 @@ static void dell_wmi_notify(u32 value, void *context) > > const struct key_entry *key; > > int reported_key; > > u16 *buffer_entry = (u16 *)obj->buffer.pointer; > > + int buffer_size = obj->buffer.length/2; > > > > - if (dell_new_hk_type && (buffer_entry[1] != 0x10)) { > > + if (buffer_size >= 2 && dell_new_hk_type && buffer_entry[1] != 0x10) { > > pr_info("Received unknown WMI event (0x%x)\n", > > buffer_entry[1]); > > kfree(obj); > > return; > > } > > > > - if (dell_new_hk_type || buffer_entry[1] == 0x0) > > + if (buffer_size >= 3 && (dell_new_hk_type || buffer_entry[1] == 0x0)) > > reported_key = (int)buffer_entry[2]; > > - else > > + else if (buffer_size >= 2) > > reported_key = (int)buffer_entry[1] & 0xffff; > > + else { > > + pr_info("Received unknown WMI event\n"); > > + kfree(obj); > > + return; > > + } > > > > key = sparse_keymap_entry_from_scancode(dell_wmi_input_dev, > > reported_key); > > -- I speak only for myself. Rafael J. Wysocki, Intel Open Source Technology Center. -- To unsubscribe from this list: send the line "unsubscribe platform-driver-x86" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html