* Re: [PATCH] dell-wmi: Fix access out of memory [not found] <1411996251-13455-1-git-send-email-pali.rohar@gmail.com> @ 2014-09-29 21:30 ` Darren Hart 2014-09-29 23:26 ` Rafael J. Wysocki 0 siblings, 1 reply; 5+ messages in thread From: Darren Hart @ 2014-09-29 21:30 UTC (permalink / raw) To: Pali Rohár Cc: Matthew Garrett, platform-driver-x86, linux-kernel, linux-acpi, rjw On Mon, Sep 29, 2014 at 03:10:51PM +0200, Pali Rohár wrote: > Without this patch driver dell-wmi is trying to access elements of dynamically > allocated array without checking array size. This can lead to memory corruption > or kernel panic. This patch adds missing checks for array size. > > Signed-off-by: Pali Rohár <pali.rohar@gmail.com> Looks good to me. Rafael, any concerns? Cc: linux-acpi > --- > This patch should be probably applied to stable kernel trees as it fixing > possible memory corruption. > --- > drivers/platform/x86/dell-wmi.c | 12 +++++++++--- > 1 file changed, 9 insertions(+), 3 deletions(-) > > diff --git a/drivers/platform/x86/dell-wmi.c b/drivers/platform/x86/dell-wmi.c > index 390e8e3..25721bf 100644 > --- a/drivers/platform/x86/dell-wmi.c > +++ b/drivers/platform/x86/dell-wmi.c > @@ -163,18 +163,24 @@ static void dell_wmi_notify(u32 value, void *context) > const struct key_entry *key; > int reported_key; > u16 *buffer_entry = (u16 *)obj->buffer.pointer; > + int buffer_size = obj->buffer.length/2; > > - if (dell_new_hk_type && (buffer_entry[1] != 0x10)) { > + if (buffer_size >= 2 && dell_new_hk_type && buffer_entry[1] != 0x10) { > pr_info("Received unknown WMI event (0x%x)\n", > buffer_entry[1]); > kfree(obj); > return; > } > > - if (dell_new_hk_type || buffer_entry[1] == 0x0) > + if (buffer_size >= 3 && (dell_new_hk_type || buffer_entry[1] == 0x0)) > reported_key = (int)buffer_entry[2]; > - else > + else if (buffer_size >= 2) > reported_key = (int)buffer_entry[1] & 0xffff; > + else { > + pr_info("Received unknown WMI event\n"); > + kfree(obj); > + return; > + } > > key = sparse_keymap_entry_from_scancode(dell_wmi_input_dev, > reported_key); > -- > 1.7.9.5 > > -- Darren Hart Intel Open Source Technology Center ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] dell-wmi: Fix access out of memory 2014-09-29 21:30 ` [PATCH] dell-wmi: Fix access out of memory Darren Hart @ 2014-09-29 23:26 ` Rafael J. Wysocki 2014-09-29 23:16 ` Darren Hart 0 siblings, 1 reply; 5+ messages in thread From: Rafael J. Wysocki @ 2014-09-29 23:26 UTC (permalink / raw) To: Darren Hart Cc: Pali Rohár, Matthew Garrett, platform-driver-x86, linux-kernel, linux-acpi On Monday, September 29, 2014 02:30:29 PM Darren Hart wrote: > On Mon, Sep 29, 2014 at 03:10:51PM +0200, Pali Rohár wrote: > > Without this patch driver dell-wmi is trying to access elements of dynamically > > allocated array without checking array size. This can lead to memory corruption > > or kernel panic. This patch adds missing checks for array size. > > > > Signed-off-by: Pali Rohár <pali.rohar@gmail.com> > > Looks good to me. Rafael, any concerns? Not anything obvious. > > Cc: linux-acpi Thanks! > > --- > > This patch should be probably applied to stable kernel trees as it fixing > > possible memory corruption. > > --- > > drivers/platform/x86/dell-wmi.c | 12 +++++++++--- > > 1 file changed, 9 insertions(+), 3 deletions(-) > > > > diff --git a/drivers/platform/x86/dell-wmi.c b/drivers/platform/x86/dell-wmi.c > > index 390e8e3..25721bf 100644 > > --- a/drivers/platform/x86/dell-wmi.c > > +++ b/drivers/platform/x86/dell-wmi.c > > @@ -163,18 +163,24 @@ static void dell_wmi_notify(u32 value, void *context) > > const struct key_entry *key; > > int reported_key; > > u16 *buffer_entry = (u16 *)obj->buffer.pointer; > > + int buffer_size = obj->buffer.length/2; > > > > - if (dell_new_hk_type && (buffer_entry[1] != 0x10)) { > > + if (buffer_size >= 2 && dell_new_hk_type && buffer_entry[1] != 0x10) { > > pr_info("Received unknown WMI event (0x%x)\n", > > buffer_entry[1]); > > kfree(obj); > > return; > > } > > > > - if (dell_new_hk_type || buffer_entry[1] == 0x0) > > + if (buffer_size >= 3 && (dell_new_hk_type || buffer_entry[1] == 0x0)) > > reported_key = (int)buffer_entry[2]; > > - else > > + else if (buffer_size >= 2) > > reported_key = (int)buffer_entry[1] & 0xffff; > > + else { > > + pr_info("Received unknown WMI event\n"); > > + kfree(obj); > > + return; > > + } > > > > key = sparse_keymap_entry_from_scancode(dell_wmi_input_dev, > > reported_key); > > -- I speak only for myself. Rafael J. Wysocki, Intel Open Source Technology Center. -- To unsubscribe from this list: send the line "unsubscribe linux-acpi" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] dell-wmi: Fix access out of memory 2014-09-29 23:26 ` Rafael J. Wysocki @ 2014-09-29 23:16 ` Darren Hart 2014-10-12 16:45 ` Pali Rohár 0 siblings, 1 reply; 5+ messages in thread From: Darren Hart @ 2014-09-29 23:16 UTC (permalink / raw) To: Rafael J. Wysocki Cc: Pali Rohár, Matthew Garrett, platform-driver-x86, linux-kernel, linux-acpi On September 29, 2014 4:26:03 PM PDT, "Rafael J. Wysocki" <rjw@rjwysocki.net> wrote: >On Monday, September 29, 2014 02:30:29 PM Darren Hart wrote: >> On Mon, Sep 29, 2014 at 03:10:51PM +0200, Pali Rohár wrote: >> > Without this patch driver dell-wmi is trying to access elements of >dynamically >> > allocated array without checking array size. This can lead to >memory corruption >> > or kernel panic. This patch adds missing checks for array size. >> > >> > Signed-off-by: Pali Rohár <pali.rohar@gmail.com> >> >> Looks good to me. Rafael, any concerns? > >Not anything obvious. Queued, thanks. > >> >> Cc: linux-acpi > >Thanks! > > >> > --- >> > This patch should be probably applied to stable kernel trees as it >fixing >> > possible memory corruption. >> > --- >> > drivers/platform/x86/dell-wmi.c | 12 +++++++++--- >> > 1 file changed, 9 insertions(+), 3 deletions(-) >> > >> > diff --git a/drivers/platform/x86/dell-wmi.c >b/drivers/platform/x86/dell-wmi.c >> > index 390e8e3..25721bf 100644 >> > --- a/drivers/platform/x86/dell-wmi.c >> > +++ b/drivers/platform/x86/dell-wmi.c >> > @@ -163,18 +163,24 @@ static void dell_wmi_notify(u32 value, void >*context) >> > const struct key_entry *key; >> > int reported_key; >> > u16 *buffer_entry = (u16 *)obj->buffer.pointer; >> > + int buffer_size = obj->buffer.length/2; >> > >> > - if (dell_new_hk_type && (buffer_entry[1] != 0x10)) { >> > + if (buffer_size >= 2 && dell_new_hk_type && buffer_entry[1] != >0x10) { >> > pr_info("Received unknown WMI event (0x%x)\n", >> > buffer_entry[1]); >> > kfree(obj); >> > return; >> > } >> > >> > - if (dell_new_hk_type || buffer_entry[1] == 0x0) >> > + if (buffer_size >= 3 && (dell_new_hk_type || buffer_entry[1] == >0x0)) >> > reported_key = (int)buffer_entry[2]; >> > - else >> > + else if (buffer_size >= 2) >> > reported_key = (int)buffer_entry[1] & 0xffff; >> > + else { >> > + pr_info("Received unknown WMI event\n"); >> > + kfree(obj); >> > + return; >> > + } >> > >> > key = sparse_keymap_entry_from_scancode(dell_wmi_input_dev, >> > reported_key); >> >> -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] dell-wmi: Fix access out of memory 2014-09-29 23:16 ` Darren Hart @ 2014-10-12 16:45 ` Pali Rohár 2014-10-12 22:32 ` Darren Hart 0 siblings, 1 reply; 5+ messages in thread From: Pali Rohár @ 2014-10-12 16:45 UTC (permalink / raw) To: Darren Hart Cc: Rafael J. Wysocki, Matthew Garrett, platform-driver-x86, linux-kernel, linux-acpi [-- Attachment #1: Type: Text/Plain, Size: 928 bytes --] On Tuesday 30 September 2014 01:16:23 Darren Hart wrote: > On September 29, 2014 4:26:03 PM PDT, "Rafael J. Wysocki" <rjw@rjwysocki.net> wrote: > >On Monday, September 29, 2014 02:30:29 PM Darren Hart wrote: > >> On Mon, Sep 29, 2014 at 03:10:51PM +0200, Pali Rohár wrote: > >> > Without this patch driver dell-wmi is trying to access > >> > elements of > > > >dynamically > > > >> > allocated array without checking array size. This can > >> > lead to > > > >memory corruption > > > >> > or kernel panic. This patch adds missing checks for array > >> > size. > >> > > >> > Signed-off-by: Pali Rohár <pali.rohar@gmail.com> > >> > >> Looks good to me. Rafael, any concerns? > > > >Not anything obvious. > > Queued, thanks. > > >> Cc: linux-acpi > > > >Thanks! > > Now I see that this patch is in linus tree. Can you sent it to stable trees too? -- Pali Rohár pali.rohar@gmail.com [-- Attachment #2: This is a digitally signed message part. --] [-- Type: application/pgp-signature, Size: 198 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] dell-wmi: Fix access out of memory 2014-10-12 16:45 ` Pali Rohár @ 2014-10-12 22:32 ` Darren Hart 0 siblings, 0 replies; 5+ messages in thread From: Darren Hart @ 2014-10-12 22:32 UTC (permalink / raw) To: Pali Rohár Cc: Rafael J. Wysocki, Matthew Garrett, platform-driver-x86, linux-kernel, linux-acpi On Sun, Oct 12, 2014 at 06:45:06PM +0200, Pali Rohár wrote: > On Tuesday 30 September 2014 01:16:23 Darren Hart wrote: > > On September 29, 2014 4:26:03 PM PDT, "Rafael J. Wysocki" > <rjw@rjwysocki.net> wrote: > > >On Monday, September 29, 2014 02:30:29 PM Darren Hart wrote: > > >> On Mon, Sep 29, 2014 at 03:10:51PM +0200, Pali Rohár wrote: > > >> > Without this patch driver dell-wmi is trying to access > > >> > elements of > > > > > >dynamically > > > > > >> > allocated array without checking array size. This can > > >> > lead to > > > > > >memory corruption > > > > > >> > or kernel panic. This patch adds missing checks for array > > >> > size. > > >> > > > >> > Signed-off-by: Pali Rohár <pali.rohar@gmail.com> > > >> > > >> Looks good to me. Rafael, any concerns? > > > > > >Not anything obvious. > > > > Queued, thanks. > > > > >> Cc: linux-acpi > > > > > >Thanks! > > > > > Now I see that this patch is in linus tree. Can you sent it to > stable trees too? Hi Pali, Please see Documentation/stable_kernel_rules.txt for details on how to mark patches for stable when you submit them. Now that it is in mainline, the process is a bit more manual, you'll find instructions for how to go about that in the same document. Thanks, -- Darren Hart Intel Open Source Technology Center ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2014-10-12 22:32 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <1411996251-13455-1-git-send-email-pali.rohar@gmail.com>
2014-09-29 21:30 ` [PATCH] dell-wmi: Fix access out of memory Darren Hart
2014-09-29 23:26 ` Rafael J. Wysocki
2014-09-29 23:16 ` Darren Hart
2014-10-12 16:45 ` Pali Rohár
2014-10-12 22:32 ` Darren Hart
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox