Commit 40551426 authored by Pali Rohár's avatar Pali Rohár Committed by Luis Henriques

dell-wmi: Fix access out of memory

commit a666b6ff upstream.

Without this patch, dell-wmi is trying to access elements of dynamically
allocated array without checking the array size. This can lead to memory
corruption or a kernel panic. This patch adds the missing checks for
array size.
Signed-off-by: default avatarPali Rohár <pali.rohar@gmail.com>
Signed-off-by: default avatarDarren Hart <dvhart@linux.intel.com>
Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
parent 91334f83
...@@ -163,18 +163,24 @@ static void dell_wmi_notify(u32 value, void *context) ...@@ -163,18 +163,24 @@ static void dell_wmi_notify(u32 value, void *context)
const struct key_entry *key; const struct key_entry *key;
int reported_key; int reported_key;
u16 *buffer_entry = (u16 *)obj->buffer.pointer; u16 *buffer_entry = (u16 *)obj->buffer.pointer;
int buffer_size = obj->buffer.length/2;
if (dell_new_hk_type && (buffer_entry[1] != 0x10)) { if (buffer_size >= 2 && dell_new_hk_type && buffer_entry[1] != 0x10) {
pr_info("Received unknown WMI event (0x%x)\n", pr_info("Received unknown WMI event (0x%x)\n",
buffer_entry[1]); buffer_entry[1]);
kfree(obj); kfree(obj);
return; return;
} }
if (dell_new_hk_type || buffer_entry[1] == 0x0) if (buffer_size >= 3 && (dell_new_hk_type || buffer_entry[1] == 0x0))
reported_key = (int)buffer_entry[2]; reported_key = (int)buffer_entry[2];
else else if (buffer_size >= 2)
reported_key = (int)buffer_entry[1] & 0xffff; reported_key = (int)buffer_entry[1] & 0xffff;
else {
pr_info("Received unknown WMI event\n");
kfree(obj);
return;
}
key = sparse_keymap_entry_from_scancode(dell_wmi_input_dev, key = sparse_keymap_entry_from_scancode(dell_wmi_input_dev,
reported_key); reported_key);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment