panasonic-laptop: avoid overflow in acpi_pcc_hotkey_add()

num_sifr could go negative since acpi_pcc_get_sqty() returns -EINVAL on error. Then it could bypass the sanity check (num_sifr > 255). The subsequent call to kzalloc() would allocate a small buffer, leading to a memory corruption. Signed-off-by: N Xi Wang <xi.wang@gmail.com> Signed-off-by: N Matthew Garrett <mjg@redhat.com>

panasonic-laptop: avoid overflow in acpi_pcc_hotkey_add()
num_sifr could go negative since acpi_pcc_get_sqty() returns -EINVAL on error. Then it could bypass the sanity check (num_sifr > 255). The subsequent call to kzalloc() would allocate a small buffer, leading to a memory corruption. Signed-off-by: N Xi Wang <xi.wang@gmail.com> Signed-off-by: N Matthew Garrett <mjg@redhat.com>
e424fb8c · Xi Wang · Matthew Garrett · 461e7437 · e424fb8c
隐藏空白更改
内联并排

Showing with 2 addition and 2 deletion

drivers/platform/x86/panasonic-laptop.c drivers/platform/x86/panasonic-laptop.c +2 -2

未找到文件。
--- a/drivers/platform/x86/panasonic-laptop.c
+++ b/drivers/platform/x86/panasonic-laptop.c
@@ -562,8 +562,8 @@ static int acpi_pcc_hotkey_add(struct acpi_device *device)

 	num_sifr = acpi_pcc_get_sqty(device);

-	if (num_sifr > 255) {
-		ACPI_DEBUG_PRINT((ACPI_DB_ERROR, "num_sifr too large"));
+	if (num_sifr < 0 || num_sifr > 255) {
+		ACPI_DEBUG_PRINT((ACPI_DB_ERROR, "num_sifr out of range"));
 		return -ENODEV;
 	}