* [PATCH] dell-wmi: Fix access out of memory
@ 2014-09-29 13:10 Pali Rohár
2014-09-29 21:30 ` Darren Hart
0 siblings, 1 reply; 6+ messages in thread
From: Pali Rohár @ 2014-09-29 13:10 UTC (permalink / raw)
To: Matthew Garrett, Darren Hart
Cc: platform-driver-x86, linux-kernel, Pali Rohár
Without this patch driver dell-wmi is trying to access elements of dynamically
allocated array without checking array size. This can lead to memory corruption
or kernel panic. This patch adds missing checks for array size.
Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
---
This patch should be probably applied to stable kernel trees as it fixing
possible memory corruption.
---
drivers/platform/x86/dell-wmi.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/drivers/platform/x86/dell-wmi.c b/drivers/platform/x86/dell-wmi.c
index 390e8e3..25721bf 100644
--- a/drivers/platform/x86/dell-wmi.c
+++ b/drivers/platform/x86/dell-wmi.c
@@ -163,18 +163,24 @@ static void dell_wmi_notify(u32 value, void *context)
const struct key_entry *key;
int reported_key;
u16 *buffer_entry = (u16 *)obj->buffer.pointer;
+ int buffer_size = obj->buffer.length/2;
- if (dell_new_hk_type && (buffer_entry[1] != 0x10)) {
+ if (buffer_size >= 2 && dell_new_hk_type && buffer_entry[1] != 0x10) {
pr_info("Received unknown WMI event (0x%x)\n",
buffer_entry[1]);
kfree(obj);
return;
}
- if (dell_new_hk_type || buffer_entry[1] == 0x0)
+ if (buffer_size >= 3 && (dell_new_hk_type || buffer_entry[1] == 0x0))
reported_key = (int)buffer_entry[2];
- else
+ else if (buffer_size >= 2)
reported_key = (int)buffer_entry[1] & 0xffff;
+ else {
+ pr_info("Received unknown WMI event\n");
+ kfree(obj);
+ return;
+ }
key = sparse_keymap_entry_from_scancode(dell_wmi_input_dev,
reported_key);
--
1.7.9.5
^ permalink raw reply related [flat|nested] 6+ messages in thread* Re: [PATCH] dell-wmi: Fix access out of memory
2014-09-29 13:10 [PATCH] dell-wmi: Fix access out of memory Pali Rohár
@ 2014-09-29 21:30 ` Darren Hart
2014-09-29 23:26 ` Rafael J. Wysocki
0 siblings, 1 reply; 6+ messages in thread
From: Darren Hart @ 2014-09-29 21:30 UTC (permalink / raw)
To: Pali Rohár
Cc: Matthew Garrett, platform-driver-x86, linux-kernel, linux-acpi,
rjw
On Mon, Sep 29, 2014 at 03:10:51PM +0200, Pali Rohár wrote:
> Without this patch driver dell-wmi is trying to access elements of dynamically
> allocated array without checking array size. This can lead to memory corruption
> or kernel panic. This patch adds missing checks for array size.
>
> Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
Looks good to me. Rafael, any concerns?
Cc: linux-acpi
> ---
> This patch should be probably applied to stable kernel trees as it fixing
> possible memory corruption.
> ---
> drivers/platform/x86/dell-wmi.c | 12 +++++++++---
> 1 file changed, 9 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/platform/x86/dell-wmi.c b/drivers/platform/x86/dell-wmi.c
> index 390e8e3..25721bf 100644
> --- a/drivers/platform/x86/dell-wmi.c
> +++ b/drivers/platform/x86/dell-wmi.c
> @@ -163,18 +163,24 @@ static void dell_wmi_notify(u32 value, void *context)
> const struct key_entry *key;
> int reported_key;
> u16 *buffer_entry = (u16 *)obj->buffer.pointer;
> + int buffer_size = obj->buffer.length/2;
>
> - if (dell_new_hk_type && (buffer_entry[1] != 0x10)) {
> + if (buffer_size >= 2 && dell_new_hk_type && buffer_entry[1] != 0x10) {
> pr_info("Received unknown WMI event (0x%x)\n",
> buffer_entry[1]);
> kfree(obj);
> return;
> }
>
> - if (dell_new_hk_type || buffer_entry[1] == 0x0)
> + if (buffer_size >= 3 && (dell_new_hk_type || buffer_entry[1] == 0x0))
> reported_key = (int)buffer_entry[2];
> - else
> + else if (buffer_size >= 2)
> reported_key = (int)buffer_entry[1] & 0xffff;
> + else {
> + pr_info("Received unknown WMI event\n");
> + kfree(obj);
> + return;
> + }
>
> key = sparse_keymap_entry_from_scancode(dell_wmi_input_dev,
> reported_key);
> --
> 1.7.9.5
>
>
--
Darren Hart
Intel Open Source Technology Center
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [PATCH] dell-wmi: Fix access out of memory
2014-09-29 21:30 ` Darren Hart
@ 2014-09-29 23:26 ` Rafael J. Wysocki
2014-09-29 23:16 ` Darren Hart
0 siblings, 1 reply; 6+ messages in thread
From: Rafael J. Wysocki @ 2014-09-29 23:26 UTC (permalink / raw)
To: Darren Hart
Cc: Pali Rohár, Matthew Garrett, platform-driver-x86,
linux-kernel, linux-acpi
On Monday, September 29, 2014 02:30:29 PM Darren Hart wrote:
> On Mon, Sep 29, 2014 at 03:10:51PM +0200, Pali Rohár wrote:
> > Without this patch driver dell-wmi is trying to access elements of dynamically
> > allocated array without checking array size. This can lead to memory corruption
> > or kernel panic. This patch adds missing checks for array size.
> >
> > Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
>
> Looks good to me. Rafael, any concerns?
Not anything obvious.
>
> Cc: linux-acpi
Thanks!
> > ---
> > This patch should be probably applied to stable kernel trees as it fixing
> > possible memory corruption.
> > ---
> > drivers/platform/x86/dell-wmi.c | 12 +++++++++---
> > 1 file changed, 9 insertions(+), 3 deletions(-)
> >
> > diff --git a/drivers/platform/x86/dell-wmi.c b/drivers/platform/x86/dell-wmi.c
> > index 390e8e3..25721bf 100644
> > --- a/drivers/platform/x86/dell-wmi.c
> > +++ b/drivers/platform/x86/dell-wmi.c
> > @@ -163,18 +163,24 @@ static void dell_wmi_notify(u32 value, void *context)
> > const struct key_entry *key;
> > int reported_key;
> > u16 *buffer_entry = (u16 *)obj->buffer.pointer;
> > + int buffer_size = obj->buffer.length/2;
> >
> > - if (dell_new_hk_type && (buffer_entry[1] != 0x10)) {
> > + if (buffer_size >= 2 && dell_new_hk_type && buffer_entry[1] != 0x10) {
> > pr_info("Received unknown WMI event (0x%x)\n",
> > buffer_entry[1]);
> > kfree(obj);
> > return;
> > }
> >
> > - if (dell_new_hk_type || buffer_entry[1] == 0x0)
> > + if (buffer_size >= 3 && (dell_new_hk_type || buffer_entry[1] == 0x0))
> > reported_key = (int)buffer_entry[2];
> > - else
> > + else if (buffer_size >= 2)
> > reported_key = (int)buffer_entry[1] & 0xffff;
> > + else {
> > + pr_info("Received unknown WMI event\n");
> > + kfree(obj);
> > + return;
> > + }
> >
> > key = sparse_keymap_entry_from_scancode(dell_wmi_input_dev,
> > reported_key);
>
>
--
I speak only for myself.
Rafael J. Wysocki, Intel Open Source Technology Center.
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [PATCH] dell-wmi: Fix access out of memory
2014-09-29 23:26 ` Rafael J. Wysocki
@ 2014-09-29 23:16 ` Darren Hart
2014-10-12 16:45 ` Pali Rohár
0 siblings, 1 reply; 6+ messages in thread
From: Darren Hart @ 2014-09-29 23:16 UTC (permalink / raw)
To: Rafael J. Wysocki
Cc: Pali Rohár, Matthew Garrett, platform-driver-x86,
linux-kernel, linux-acpi
On September 29, 2014 4:26:03 PM PDT, "Rafael J. Wysocki" <rjw@rjwysocki.net> wrote:
>On Monday, September 29, 2014 02:30:29 PM Darren Hart wrote:
>> On Mon, Sep 29, 2014 at 03:10:51PM +0200, Pali Rohár wrote:
>> > Without this patch driver dell-wmi is trying to access elements of
>dynamically
>> > allocated array without checking array size. This can lead to
>memory corruption
>> > or kernel panic. This patch adds missing checks for array size.
>> >
>> > Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
>>
>> Looks good to me. Rafael, any concerns?
>
>Not anything obvious.
Queued, thanks.
>
>>
>> Cc: linux-acpi
>
>Thanks!
>
>
>> > ---
>> > This patch should be probably applied to stable kernel trees as it
>fixing
>> > possible memory corruption.
>> > ---
>> > drivers/platform/x86/dell-wmi.c | 12 +++++++++---
>> > 1 file changed, 9 insertions(+), 3 deletions(-)
>> >
>> > diff --git a/drivers/platform/x86/dell-wmi.c
>b/drivers/platform/x86/dell-wmi.c
>> > index 390e8e3..25721bf 100644
>> > --- a/drivers/platform/x86/dell-wmi.c
>> > +++ b/drivers/platform/x86/dell-wmi.c
>> > @@ -163,18 +163,24 @@ static void dell_wmi_notify(u32 value, void
>*context)
>> > const struct key_entry *key;
>> > int reported_key;
>> > u16 *buffer_entry = (u16 *)obj->buffer.pointer;
>> > + int buffer_size = obj->buffer.length/2;
>> >
>> > - if (dell_new_hk_type && (buffer_entry[1] != 0x10)) {
>> > + if (buffer_size >= 2 && dell_new_hk_type && buffer_entry[1] !=
>0x10) {
>> > pr_info("Received unknown WMI event (0x%x)\n",
>> > buffer_entry[1]);
>> > kfree(obj);
>> > return;
>> > }
>> >
>> > - if (dell_new_hk_type || buffer_entry[1] == 0x0)
>> > + if (buffer_size >= 3 && (dell_new_hk_type || buffer_entry[1] ==
>0x0))
>> > reported_key = (int)buffer_entry[2];
>> > - else
>> > + else if (buffer_size >= 2)
>> > reported_key = (int)buffer_entry[1] & 0xffff;
>> > + else {
>> > + pr_info("Received unknown WMI event\n");
>> > + kfree(obj);
>> > + return;
>> > + }
>> >
>> > key = sparse_keymap_entry_from_scancode(dell_wmi_input_dev,
>> > reported_key);
>>
>>
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [PATCH] dell-wmi: Fix access out of memory
2014-09-29 23:16 ` Darren Hart
@ 2014-10-12 16:45 ` Pali Rohár
2014-10-12 22:32 ` Darren Hart
0 siblings, 1 reply; 6+ messages in thread
From: Pali Rohár @ 2014-10-12 16:45 UTC (permalink / raw)
To: Darren Hart
Cc: Rafael J. Wysocki, Matthew Garrett, platform-driver-x86,
linux-kernel, linux-acpi
[-- Attachment #1: Type: Text/Plain, Size: 928 bytes --]
On Tuesday 30 September 2014 01:16:23 Darren Hart wrote:
> On September 29, 2014 4:26:03 PM PDT, "Rafael J. Wysocki"
<rjw@rjwysocki.net> wrote:
> >On Monday, September 29, 2014 02:30:29 PM Darren Hart wrote:
> >> On Mon, Sep 29, 2014 at 03:10:51PM +0200, Pali Rohár wrote:
> >> > Without this patch driver dell-wmi is trying to access
> >> > elements of
> >
> >dynamically
> >
> >> > allocated array without checking array size. This can
> >> > lead to
> >
> >memory corruption
> >
> >> > or kernel panic. This patch adds missing checks for array
> >> > size.
> >> >
> >> > Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
> >>
> >> Looks good to me. Rafael, any concerns?
> >
> >Not anything obvious.
>
> Queued, thanks.
>
> >> Cc: linux-acpi
> >
> >Thanks!
> >
Now I see that this patch is in linus tree. Can you sent it to
stable trees too?
--
Pali Rohár
pali.rohar@gmail.com
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] dell-wmi: Fix access out of memory
2014-10-12 16:45 ` Pali Rohár
@ 2014-10-12 22:32 ` Darren Hart
0 siblings, 0 replies; 6+ messages in thread
From: Darren Hart @ 2014-10-12 22:32 UTC (permalink / raw)
To: Pali Rohár
Cc: Rafael J. Wysocki, Matthew Garrett, platform-driver-x86,
linux-kernel, linux-acpi
On Sun, Oct 12, 2014 at 06:45:06PM +0200, Pali Rohár wrote:
> On Tuesday 30 September 2014 01:16:23 Darren Hart wrote:
> > On September 29, 2014 4:26:03 PM PDT, "Rafael J. Wysocki"
> <rjw@rjwysocki.net> wrote:
> > >On Monday, September 29, 2014 02:30:29 PM Darren Hart wrote:
> > >> On Mon, Sep 29, 2014 at 03:10:51PM +0200, Pali Rohár wrote:
> > >> > Without this patch driver dell-wmi is trying to access
> > >> > elements of
> > >
> > >dynamically
> > >
> > >> > allocated array without checking array size. This can
> > >> > lead to
> > >
> > >memory corruption
> > >
> > >> > or kernel panic. This patch adds missing checks for array
> > >> > size.
> > >> >
> > >> > Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
> > >>
> > >> Looks good to me. Rafael, any concerns?
> > >
> > >Not anything obvious.
> >
> > Queued, thanks.
> >
> > >> Cc: linux-acpi
> > >
> > >Thanks!
> > >
>
> Now I see that this patch is in linus tree. Can you sent it to
> stable trees too?
Hi Pali,
Please see Documentation/stable_kernel_rules.txt for details on how to mark
patches for stable when you submit them. Now that it is in mainline, the process
is a bit more manual, you'll find instructions for how to go about that in the
same document.
Thanks,
--
Darren Hart
Intel Open Source Technology Center
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2014-10-12 22:33 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-09-29 13:10 [PATCH] dell-wmi: Fix access out of memory Pali Rohár
2014-09-29 21:30 ` Darren Hart
2014-09-29 23:26 ` Rafael J. Wysocki
2014-09-29 23:16 ` Darren Hart
2014-10-12 16:45 ` Pali Rohár
2014-10-12 22:32 ` Darren Hart
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).