[PATCH] dell-wmi: Fix access out of memory

[PATCH] dell-wmi: Fix access out of memory

[Pali Rohár]

Without this patch driver dell-wmi is trying to access elements of dynamically
allocated array without checking array size. This can lead to memory corruption
or kernel panic. This patch adds missing checks for array size.

Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
---
This patch should be probably applied to stable kernel trees as it fixing
possible memory corruption.
---
 drivers/platform/x86/dell-wmi.c |   12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/drivers/platform/x86/dell-wmi.c b/drivers/platform/x86/dell-wmi.c
index 390e8e3..25721bf 100644
--- a/drivers/platform/x86/dell-wmi.c
+++ b/drivers/platform/x86/dell-wmi.c
@@ -163,18 +163,24 @@ static void dell_wmi_notify(u32 value, void *context)
 		const struct key_entry *key;
 		int reported_key;
 		u16 *buffer_entry = (u16 *)obj->buffer.pointer;
+		int buffer_size = obj->buffer.length/2;
 
-		if (dell_new_hk_type && (buffer_entry[1] != 0x10)) {
+		if (buffer_size >= 2 && dell_new_hk_type && buffer_entry[1] != 0x10) {
 			pr_info("Received unknown WMI event (0x%x)\n",
 				buffer_entry[1]);
 			kfree(obj);
 			return;
 		}
 
-		if (dell_new_hk_type || buffer_entry[1] == 0x0)
+		if (buffer_size >= 3 && (dell_new_hk_type || buffer_entry[1] == 0x0))
 			reported_key = (int)buffer_entry[2];
-		else
+		else if (buffer_size >= 2)
 			reported_key = (int)buffer_entry[1] & 0xffff;
+		else {
+			pr_info("Received unknown WMI event\n");
+			kfree(obj);
+			return;
+		}
 
 		key = sparse_keymap_entry_from_scancode(dell_wmi_input_dev,
 							reported_key);
-- 
1.7.9.5

Re: [PATCH] dell-wmi: Fix access out of memory

[Darren Hart]

On Mon, Sep 29, 2014 at 03:10:51PM +0200, Pali Rohár wrote:
> Without this patch driver dell-wmi is trying to access elements of dynamically
> allocated array without checking array size. This can lead to memory corruption
> or kernel panic. This patch adds missing checks for array size.
> 
> Signed-off-by: Pali Rohár <pali.rohar@gmail.com>

Looks good to me. Rafael, any concerns?

Cc: linux-acpi

> ---
> This patch should be probably applied to stable kernel trees as it fixing
> possible memory corruption.
> ---
>  drivers/platform/x86/dell-wmi.c |   12 +++++++++---
>  1 file changed, 9 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/platform/x86/dell-wmi.c b/drivers/platform/x86/dell-wmi.c
> index 390e8e3..25721bf 100644
> --- a/drivers/platform/x86/dell-wmi.c
> +++ b/drivers/platform/x86/dell-wmi.c
> @@ -163,18 +163,24 @@ static void dell_wmi_notify(u32 value, void *context)
>  		const struct key_entry *key;
>  		int reported_key;
>  		u16 *buffer_entry = (u16 *)obj->buffer.pointer;
> +		int buffer_size = obj->buffer.length/2;
>  
> -		if (dell_new_hk_type && (buffer_entry[1] != 0x10)) {
> +		if (buffer_size >= 2 && dell_new_hk_type && buffer_entry[1] != 0x10) {
>  			pr_info("Received unknown WMI event (0x%x)\n",
>  				buffer_entry[1]);
>  			kfree(obj);
>  			return;
>  		}
>  
> -		if (dell_new_hk_type || buffer_entry[1] == 0x0)
> +		if (buffer_size >= 3 && (dell_new_hk_type || buffer_entry[1] == 0x0))
>  			reported_key = (int)buffer_entry[2];
> -		else
> +		else if (buffer_size >= 2)
>  			reported_key = (int)buffer_entry[1] & 0xffff;
> +		else {
> +			pr_info("Received unknown WMI event\n");
> +			kfree(obj);
> +			return;
> +		}
>  
>  		key = sparse_keymap_entry_from_scancode(dell_wmi_input_dev,
>  							reported_key);
> -- 
> 1.7.9.5
> 
> 

-- 
Darren Hart
Intel Open Source Technology Center

Re: [PATCH] dell-wmi: Fix access out of memory

[Darren Hart]

On September 29, 2014 4:26:03 PM PDT, "Rafael J. Wysocki" <rjw@rjwysocki.net> wrote:
>On Monday, September 29, 2014 02:30:29 PM Darren Hart wrote:
>> On Mon, Sep 29, 2014 at 03:10:51PM +0200, Pali Rohár wrote:
>> > Without this patch driver dell-wmi is trying to access elements of
>dynamically
>> > allocated array without checking array size. This can lead to
>memory corruption
>> > or kernel panic. This patch adds missing checks for array size.
>> > 
>> > Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
>> 
>> Looks good to me. Rafael, any concerns?
>
>Not anything obvious.

Queued, thanks.

>
>> 
>> Cc: linux-acpi
>
>Thanks!
>
>
>> > ---
>> > This patch should be probably applied to stable kernel trees as it
>fixing
>> > possible memory corruption.
>> > ---
>> >  drivers/platform/x86/dell-wmi.c |   12 +++++++++---
>> >  1 file changed, 9 insertions(+), 3 deletions(-)
>> > 
>> > diff --git a/drivers/platform/x86/dell-wmi.c
>b/drivers/platform/x86/dell-wmi.c
>> > index 390e8e3..25721bf 100644
>> > --- a/drivers/platform/x86/dell-wmi.c
>> > +++ b/drivers/platform/x86/dell-wmi.c
>> > @@ -163,18 +163,24 @@ static void dell_wmi_notify(u32 value, void
>*context)
>> >  		const struct key_entry *key;
>> >  		int reported_key;
>> >  		u16 *buffer_entry = (u16 *)obj->buffer.pointer;
>> > +		int buffer_size = obj->buffer.length/2;
>> >  
>> > -		if (dell_new_hk_type && (buffer_entry[1] != 0x10)) {
>> > +		if (buffer_size >= 2 && dell_new_hk_type && buffer_entry[1] !=
>0x10) {
>> >  			pr_info("Received unknown WMI event (0x%x)\n",
>> >  				buffer_entry[1]);
>> >  			kfree(obj);
>> >  			return;
>> >  		}
>> >  
>> > -		if (dell_new_hk_type || buffer_entry[1] == 0x0)
>> > +		if (buffer_size >= 3 && (dell_new_hk_type || buffer_entry[1] ==
>0x0))
>> >  			reported_key = (int)buffer_entry[2];
>> > -		else
>> > +		else if (buffer_size >= 2)
>> >  			reported_key = (int)buffer_entry[1] & 0xffff;
>> > +		else {
>> > +			pr_info("Received unknown WMI event\n");
>> > +			kfree(obj);
>> > +			return;
>> > +		}
>> >  
>> >  		key = sparse_keymap_entry_from_scancode(dell_wmi_input_dev,
>> >  							reported_key);
>> 
>> 

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: [PATCH] dell-wmi: Fix access out of memory

[Rafael J. Wysocki]

On Monday, September 29, 2014 02:30:29 PM Darren Hart wrote:
> On Mon, Sep 29, 2014 at 03:10:51PM +0200, Pali Rohár wrote:
> > Without this patch driver dell-wmi is trying to access elements of dynamically
> > allocated array without checking array size. This can lead to memory corruption
> > or kernel panic. This patch adds missing checks for array size.
> > 
> > Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
> 
> Looks good to me. Rafael, any concerns?

Not anything obvious.

> 
> Cc: linux-acpi

Thanks!


> > ---
> > This patch should be probably applied to stable kernel trees as it fixing
> > possible memory corruption.
> > ---
> >  drivers/platform/x86/dell-wmi.c |   12 +++++++++---
> >  1 file changed, 9 insertions(+), 3 deletions(-)
> > 
> > diff --git a/drivers/platform/x86/dell-wmi.c b/drivers/platform/x86/dell-wmi.c
> > index 390e8e3..25721bf 100644
> > --- a/drivers/platform/x86/dell-wmi.c
> > +++ b/drivers/platform/x86/dell-wmi.c
> > @@ -163,18 +163,24 @@ static void dell_wmi_notify(u32 value, void *context)
> >  		const struct key_entry *key;
> >  		int reported_key;
> >  		u16 *buffer_entry = (u16 *)obj->buffer.pointer;
> > +		int buffer_size = obj->buffer.length/2;
> >  
> > -		if (dell_new_hk_type && (buffer_entry[1] != 0x10)) {
> > +		if (buffer_size >= 2 && dell_new_hk_type && buffer_entry[1] != 0x10) {
> >  			pr_info("Received unknown WMI event (0x%x)\n",
> >  				buffer_entry[1]);
> >  			kfree(obj);
> >  			return;
> >  		}
> >  
> > -		if (dell_new_hk_type || buffer_entry[1] == 0x0)
> > +		if (buffer_size >= 3 && (dell_new_hk_type || buffer_entry[1] == 0x0))
> >  			reported_key = (int)buffer_entry[2];
> > -		else
> > +		else if (buffer_size >= 2)
> >  			reported_key = (int)buffer_entry[1] & 0xffff;
> > +		else {
> > +			pr_info("Received unknown WMI event\n");
> > +			kfree(obj);
> > +			return;
> > +		}
> >  
> >  		key = sparse_keymap_entry_from_scancode(dell_wmi_input_dev,
> >  							reported_key);
> 
> 

-- 
I speak only for myself.
Rafael J. Wysocki, Intel Open Source Technology Center.

Re: [PATCH] dell-wmi: Fix access out of memory

[Pali Rohár]

[-- Attachment #1: Type: Text/Plain, Size: 928 bytes --]

On Tuesday 30 September 2014 01:16:23 Darren Hart wrote:
> On September 29, 2014 4:26:03 PM PDT, "Rafael J. Wysocki" 
<rjw@rjwysocki.net> wrote:
> >On Monday, September 29, 2014 02:30:29 PM Darren Hart wrote:
> >> On Mon, Sep 29, 2014 at 03:10:51PM +0200, Pali Rohár wrote:
> >> > Without this patch driver dell-wmi is trying to access
> >> > elements of
> >
> >dynamically
> >
> >> > allocated array without checking array size. This can
> >> > lead to
> >
> >memory corruption
> >
> >> > or kernel panic. This patch adds missing checks for array
> >> > size.
> >> > 
> >> > Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
> >> 
> >> Looks good to me. Rafael, any concerns?
> >
> >Not anything obvious.
> 
> Queued, thanks.
> 
> >> Cc: linux-acpi
> >
> >Thanks!
> >

Now I see that this patch is in linus tree. Can you sent it to 
stable trees too?

-- 
Pali Rohár
pali.rohar@gmail.com

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [PATCH] dell-wmi: Fix access out of memory

[Darren Hart]

On Sun, Oct 12, 2014 at 06:45:06PM +0200, Pali Rohár wrote:
> On Tuesday 30 September 2014 01:16:23 Darren Hart wrote:
> > On September 29, 2014 4:26:03 PM PDT, "Rafael J. Wysocki" 
> <rjw@rjwysocki.net> wrote:
> > >On Monday, September 29, 2014 02:30:29 PM Darren Hart wrote:
> > >> On Mon, Sep 29, 2014 at 03:10:51PM +0200, Pali Rohár wrote:
> > >> > Without this patch driver dell-wmi is trying to access
> > >> > elements of
> > >
> > >dynamically
> > >
> > >> > allocated array without checking array size. This can
> > >> > lead to
> > >
> > >memory corruption
> > >
> > >> > or kernel panic. This patch adds missing checks for array
> > >> > size.
> > >> > 
> > >> > Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
> > >> 
> > >> Looks good to me. Rafael, any concerns?
> > >
> > >Not anything obvious.
> > 
> > Queued, thanks.
> > 
> > >> Cc: linux-acpi
> > >
> > >Thanks!
> > >
> 
> Now I see that this patch is in linus tree. Can you sent it to 
> stable trees too?

Hi Pali,

Please see Documentation/stable_kernel_rules.txt for details on how to mark
patches for stable when you submit them. Now that it is in mainline, the process
is a bit more manual, you'll find instructions for how to go about that in the
same document.

Thanks,

-- 
Darren Hart
Intel Open Source Technology Center