From: Xi Wang Date: Thu, 29 Dec 2011 04:49:06 +0000 (-0500) Subject: panasonic-laptop: avoid overflow in acpi_pcc_hotkey_add() X-Git-Tag: v3.3~24^2 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=e424fb8cc4e6634c10f8159b1ff5618cf7bab9c6;p=platform%2Fkernel%2Flinux-stable.git panasonic-laptop: avoid overflow in acpi_pcc_hotkey_add() num_sifr could go negative since acpi_pcc_get_sqty() returns -EINVAL on error. Then it could bypass the sanity check (num_sifr > 255). The subsequent call to kzalloc() would allocate a small buffer, leading to a memory corruption. Signed-off-by: Xi Wang Signed-off-by: Matthew Garrett --- diff --git a/drivers/platform/x86/panasonic-laptop.c b/drivers/platform/x86/panasonic-laptop.c index 05be30e..ffff8b4 100644 --- a/drivers/platform/x86/panasonic-laptop.c +++ b/drivers/platform/x86/panasonic-laptop.c @@ -562,8 +562,8 @@ static int acpi_pcc_hotkey_add(struct acpi_device *device) num_sifr = acpi_pcc_get_sqty(device); - if (num_sifr > 255) { - ACPI_DEBUG_PRINT((ACPI_DB_ERROR, "num_sifr too large")); + if (num_sifr < 0 || num_sifr > 255) { + ACPI_DEBUG_PRINT((ACPI_DB_ERROR, "num_sifr out of range")); return -ENODEV; }