intel_scu_ipcutil: underflow in scu_reg_access()

"count" is controlled by the user and it can be negative. Let's prevent that by making it unsigned. You have to have CAP_SYS_RAWIO to call this function so the bug is not as serious as it could be. Fixes: 5369c02d ('intel_scu_ipc: Utility driver for intel scu ipc') Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Cc: stable@vger.kernel.org Signed-off-by: Darren Hart <dvhart@linux.intel.com>

intel_scu_ipcutil: underflow in scu_reg_access()
"count" is controlled by the user and it can be negative. Let's prevent that by making it unsigned. You have to have CAP_SYS_RAWIO to call this function so the bug is not as serious as it could be. Fixes: 5369c02d ('intel_scu_ipc: Utility driver for intel scu ipc') Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Cc: stable@vger.kernel.org Signed-off-by: Darren Hart <dvhart@linux.intel.com>
b1d353ad · Dan Carpenter · Darren Hart · 1c319e78 · b1d353ad
Commit b1d353ad authored Jan 26, 2016 by Dan Carpenter Committed by Darren Hart Jan 30, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

drivers/platform/x86/intel_scu_ipcutil.c drivers/platform/x86/intel_scu_ipcutil.c +1 -1

No files found.
--- a/drivers/platform/x86/intel_scu_ipcutil.c
+++ b/drivers/platform/x86/intel_scu_ipcutil.c
@@ -49,7 +49,7 @@ struct scu_ipc_data {

 static int scu_reg_access(u32 cmd, struct scu_ipc_data  *data)
 {
-	int count = data->count;
+	unsigned int count = data->count;

 	if (count == 0 || count == 3 || count > 4)
 		return -EINVAL;