panasonic-laptop: avoid overflow in acpi_pcc_hotkey_add()

xiw · Matthew Garrett · commit e424fb8cc4e6 · 2012-03-12T10:25:51.000-04:00
num_sifr could go negative since acpi_pcc_get_sqty() returns -EINVAL
on error.  Then it could bypass the sanity check (num_sifr &gt; 255).
The subsequent call to kzalloc() would allocate a small buffer, leading
to a memory corruption.

Signed-off-by: Xi Wang &lt;xi.wang@gmail.com&gt;
Signed-off-by: Matthew Garrett &lt;mjg@redhat.com&gt;
diff --git a/drivers/platform/x86/panasonic-laptop.c b/drivers/platform/x86/panasonic-laptop.c
@@ -562,8 +562,8 @@ static int acpi_pcc_hotkey_add(struct acpi_device *device)
 
 	num_sifr = acpi_pcc_get_sqty(device);
 
-	if (num_sifr > 255) {
-		ACPI_DEBUG_PRINT((ACPI_DB_ERROR, "num_sifr too large"));
+	if (num_sifr < 0 || num_sifr > 255) {
+		ACPI_DEBUG_PRINT((ACPI_DB_ERROR, "num_sifr out of range"));
 		return -ENODEV;
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -562,8 +562,8 @@ static int acpi_pcc_hotkey_add(struct acpi_device *device)`
`562`	`562`
`563`	`563`	`num_sifr = acpi_pcc_get_sqty(device);`
`564`	`564`
`565`		`- if (num_sifr > 255) {`
`566`		`- ACPI_DEBUG_PRINT((ACPI_DB_ERROR, "num_sifr too large"));`
	`565`	`+ if (num_sifr < 0 \|\| num_sifr > 255) {`
	`566`	`+ ACPI_DEBUG_PRINT((ACPI_DB_ERROR, "num_sifr out of range"));`
`567`	`567`	`return -ENODEV;`
`568`	`568`	`}`
`569`	`569`