提交 e424fb8c 编写于 作者: X Xi Wang 提交者: Matthew Garrett

panasonic-laptop: avoid overflow in acpi_pcc_hotkey_add()

num_sifr could go negative since acpi_pcc_get_sqty() returns -EINVAL
on error.  Then it could bypass the sanity check (num_sifr > 255).
The subsequent call to kzalloc() would allocate a small buffer, leading
to a memory corruption.
Signed-off-by: NXi Wang <xi.wang@gmail.com>
Signed-off-by: NMatthew Garrett <mjg@redhat.com>
上级 461e7437
...@@ -562,8 +562,8 @@ static int acpi_pcc_hotkey_add(struct acpi_device *device) ...@@ -562,8 +562,8 @@ static int acpi_pcc_hotkey_add(struct acpi_device *device)
num_sifr = acpi_pcc_get_sqty(device); num_sifr = acpi_pcc_get_sqty(device);
if (num_sifr > 255) { if (num_sifr < 0 || num_sifr > 255) {
ACPI_DEBUG_PRINT((ACPI_DB_ERROR, "num_sifr too large")); ACPI_DEBUG_PRINT((ACPI_DB_ERROR, "num_sifr out of range"));
return -ENODEV; return -ENODEV;
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册