On 10/15/2014, 08:41 PM, Pali Rohár wrote: > Without this patch driver dell-wmi is trying to access elements of dynamically > allocated array without checking array size. This can lead to memory corruption > or kernel panic. This patch adds missing checks for array size. > > Upstream commit id: a666b6ffbc9b6705a3ced704f52c3fe9ea8bf959 Hi, what stable kernels do you want this to be applied to? Thanks. > Signed-off-by: Pali Rohár <pali.rohar@xxxxxxxxx> > Signed-off-by: Darren Hart <dvhart@xxxxxxxxxxxxxxx> > --- > drivers/platform/x86/dell-wmi.c | 12 +++++++++--- > 1 file changed, 9 insertions(+), 3 deletions(-) > > diff --git a/drivers/platform/x86/dell-wmi.c b/drivers/platform/x86/dell-wmi.c > index 390e8e3..25721bf 100644 > --- a/drivers/platform/x86/dell-wmi.c > +++ b/drivers/platform/x86/dell-wmi.c > @@ -163,18 +163,24 @@ static void dell_wmi_notify(u32 value, void *context) > const struct key_entry *key; > int reported_key; > u16 *buffer_entry = (u16 *)obj->buffer.pointer; > + int buffer_size = obj->buffer.length/2; > > - if (dell_new_hk_type && (buffer_entry[1] != 0x10)) { > + if (buffer_size >= 2 && dell_new_hk_type && buffer_entry[1] != 0x10) { > pr_info("Received unknown WMI event (0x%x)\n", > buffer_entry[1]); > kfree(obj); > return; > } > > - if (dell_new_hk_type || buffer_entry[1] == 0x0) > + if (buffer_size >= 3 && (dell_new_hk_type || buffer_entry[1] == 0x0)) > reported_key = (int)buffer_entry[2]; > - else > + else if (buffer_size >= 2) > reported_key = (int)buffer_entry[1] & 0xffff; > + else { > + pr_info("Received unknown WMI event\n"); > + kfree(obj); > + return; > + } > > key = sparse_keymap_entry_from_scancode(dell_wmi_input_dev, > reported_key); > -- js suse labs -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html