thinkpad_acpi: buffer overflow in fan_get_status()
authorDan Carpenter <dan.carpenter@oracle.com>
Sat, 1 Sep 2012 19:54:07 +0000 (12:54 -0700)
committerMatthew Garrett <mjg@redhat.com>
Thu, 13 Sep 2012 20:46:31 +0000 (16:46 -0400)
The acpi_evalf() function modifies four bytes of data but in
fan_get_status() we pass a pointer to u8.  I have modified the
function to use type checking now.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Matthew Garrett <mjg@redhat.com>
drivers/platform/x86/thinkpad_acpi.c

index 80e3779..52daaa8 100644 (file)
@@ -545,7 +545,7 @@ TPACPI_HANDLE(hkey, ec, "\\_SB.HKEY",       /* 600e/x, 770e, 770x */
  */
 
 static int acpi_evalf(acpi_handle handle,
-                     void *res, char *method, char *fmt, ...)
+                     int *res, char *method, char *fmt, ...)
 {
        char *fmt0 = fmt;
        struct acpi_object_list params;
@@ -606,7 +606,7 @@ static int acpi_evalf(acpi_handle handle,
                success = (status == AE_OK &&
                           out_obj.type == ACPI_TYPE_INTEGER);
                if (success && res)
-                       *(int *)res = out_obj.integer.value;
+                       *res = out_obj.integer.value;
                break;
        case 'v':               /* void */
                success = status == AE_OK;
@@ -7386,17 +7386,18 @@ static int fan_get_status(u8 *status)
         * Add TPACPI_FAN_RD_ACPI_FANS ? */
 
        switch (fan_status_access_mode) {
-       case TPACPI_FAN_RD_ACPI_GFAN:
+       case TPACPI_FAN_RD_ACPI_GFAN: {
                /* 570, 600e/x, 770e, 770x */
+               int res;
 
-               if (unlikely(!acpi_evalf(gfan_handle, &s, NULL, "d")))
+               if (unlikely(!acpi_evalf(gfan_handle, &res, NULL, "d")))
                        return -EIO;
 
                if (likely(status))
-                       *status = s & 0x07;
+                       *status = res & 0x07;
 
                break;
-
+       }
        case TPACPI_FAN_RD_TPEC:
                /* all except 570, 600e/x, 770e, 770x */
                if (unlikely(!acpi_ec_read(fan_status_offset, &s)))