Discussion:
[PATCH] dell-wmi: Fix access out of memory
Pali Rohár
2014-09-29 13:10:51 UTC
Permalink
Without this patch driver dell-wmi is trying to access elements of dyna=
mically
allocated array without checking array size. This can lead to memory co=
rruption
or kernel panic. This patch adds missing checks for array size.

Signed-off-by: Pali Roh=C3=A1r <***@gmail.com>
---
This patch should be probably applied to stable kernel trees as it fixi=
ng
possible memory corruption.
---
drivers/platform/x86/dell-wmi.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/drivers/platform/x86/dell-wmi.c b/drivers/platform/x86/del=
l-wmi.c
index 390e8e3..25721bf 100644
--- a/drivers/platform/x86/dell-wmi.c
+++ b/drivers/platform/x86/dell-wmi.c
@@ -163,18 +163,24 @@ static void dell_wmi_notify(u32 value, void *cont=
ext)
const struct key_entry *key;
int reported_key;
u16 *buffer_entry =3D (u16 *)obj->buffer.pointer;
+ int buffer_size =3D obj->buffer.length/2;
=20
- if (dell_new_hk_type && (buffer_entry[1] !=3D 0x10)) {
+ if (buffer_size >=3D 2 && dell_new_hk_type && buffer_entry[1] !=3D 0=
x10) {
pr_info("Received unknown WMI event (0x%x)\n",
buffer_entry[1]);
kfree(obj);
return;
}
=20
- if (dell_new_hk_type || buffer_entry[1] =3D=3D 0x0)
+ if (buffer_size >=3D 3 && (dell_new_hk_type || buffer_entry[1] =3D=3D=
0x0))
reported_key =3D (int)buffer_entry[2];
- else
+ else if (buffer_size >=3D 2)
reported_key =3D (int)buffer_entry[1] & 0xffff;
+ else {
+ pr_info("Received unknown WMI event\n");
+ kfree(obj);
+ return;
+ }
=20
key =3D sparse_keymap_entry_from_scancode(dell_wmi_input_dev,
reported_key);
--=20
1.7.9.5
Darren Hart
2014-09-29 21:30:29 UTC
Permalink
Without this patch driver dell-wmi is trying to access elements of dy=
namically
allocated array without checking array size. This can lead to memory =
corruption
or kernel panic. This patch adds missing checks for array size.
=20
Looks good to me. Rafael, any concerns?

Cc: linux-acpi
---
This patch should be probably applied to stable kernel trees as it fi=
xing
possible memory corruption.
---
drivers/platform/x86/dell-wmi.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
=20
diff --git a/drivers/platform/x86/dell-wmi.c b/drivers/platform/x86/d=
ell-wmi.c
index 390e8e3..25721bf 100644
--- a/drivers/platform/x86/dell-wmi.c
+++ b/drivers/platform/x86/dell-wmi.c
@@ -163,18 +163,24 @@ static void dell_wmi_notify(u32 value, void *co=
ntext)
const struct key_entry *key;
int reported_key;
u16 *buffer_entry =3D (u16 *)obj->buffer.pointer;
+ int buffer_size =3D obj->buffer.length/2;
=20
- if (dell_new_hk_type && (buffer_entry[1] !=3D 0x10)) {
+ if (buffer_size >=3D 2 && dell_new_hk_type && buffer_entry[1] !=3D=
0x10) {
pr_info("Received unknown WMI event (0x%x)\n",
buffer_entry[1]);
kfree(obj);
return;
}
=20
- if (dell_new_hk_type || buffer_entry[1] =3D=3D 0x0)
+ if (buffer_size >=3D 3 && (dell_new_hk_type || buffer_entry[1] =3D=
=3D 0x0))
reported_key =3D (int)buffer_entry[2];
- else
+ else if (buffer_size >=3D 2)
reported_key =3D (int)buffer_entry[1] & 0xffff;
+ else {
+ pr_info("Received unknown WMI event\n");
+ kfree(obj);
+ return;
+ }
=20
key =3D sparse_keymap_entry_from_scancode(dell_wmi_input_dev,
reported_key);
--=20
1.7.9.5
=20
=20
--=20
Darren Hart
Intel Open Source Technology Center
Rafael J. Wysocki
2014-09-29 23:26:03 UTC
Permalink
Post by Darren Hart
Without this patch driver dell-wmi is trying to access elements of =
dynamically
Post by Darren Hart
allocated array without checking array size. This can lead to memor=
y corruption
Post by Darren Hart
or kernel panic. This patch adds missing checks for array size.
=20
=20
Looks good to me. Rafael, any concerns?
Not anything obvious.
Post by Darren Hart
=20
Cc: linux-acpi
Thanks!
Post by Darren Hart
---
This patch should be probably applied to stable kernel trees as it =
fixing
Post by Darren Hart
possible memory corruption.
---
drivers/platform/x86/dell-wmi.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
=20
diff --git a/drivers/platform/x86/dell-wmi.c b/drivers/platform/x86=
/dell-wmi.c
Post by Darren Hart
index 390e8e3..25721bf 100644
--- a/drivers/platform/x86/dell-wmi.c
+++ b/drivers/platform/x86/dell-wmi.c
@@ -163,18 +163,24 @@ static void dell_wmi_notify(u32 value, void *=
context)
Post by Darren Hart
const struct key_entry *key;
int reported_key;
u16 *buffer_entry =3D (u16 *)obj->buffer.pointer;
+ int buffer_size =3D obj->buffer.length/2;
=20
- if (dell_new_hk_type && (buffer_entry[1] !=3D 0x10)) {
+ if (buffer_size >=3D 2 && dell_new_hk_type && buffer_entry[1] !=3D=
0x10) {
Post by Darren Hart
pr_info("Received unknown WMI event (0x%x)\n",
buffer_entry[1]);
kfree(obj);
return;
}
=20
- if (dell_new_hk_type || buffer_entry[1] =3D=3D 0x0)
+ if (buffer_size >=3D 3 && (dell_new_hk_type || buffer_entry[1] =3D=
=3D 0x0))
Post by Darren Hart
reported_key =3D (int)buffer_entry[2];
- else
+ else if (buffer_size >=3D 2)
reported_key =3D (int)buffer_entry[1] & 0xffff;
+ else {
+ pr_info("Received unknown WMI event\n");
+ kfree(obj);
+ return;
+ }
=20
key =3D sparse_keymap_entry_from_scancode(dell_wmi_input_dev,
reported_key);
=20
=20
--=20
I speak only for myself.
Rafael J. Wysocki, Intel Open Source Technology Center.
--
To unsubscribe from this list: send the line "unsubscribe linux-acpi" i=
n
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Darren Hart
2014-09-29 23:16:23 UTC
Permalink
Post by Rafael J. Wysocki
Post by Darren Hart
Post by Pali Rohár
Without this patch driver dell-wmi is trying to access elements of
dynamically
Post by Darren Hart
Post by Pali Rohár
allocated array without checking array size. This can lead to
memory corruption
Post by Darren Hart
Post by Pali Rohár
or kernel panic. This patch adds missing checks for array size.
=20
=20
Looks good to me. Rafael, any concerns?
Not anything obvious.
Queued, thanks.
Post by Rafael J. Wysocki
Post by Darren Hart
=20
Cc: linux-acpi
Thanks!
Post by Darren Hart
Post by Pali Rohár
---
This patch should be probably applied to stable kernel trees as it
fixing
Post by Darren Hart
Post by Pali Rohár
possible memory corruption.
---
drivers/platform/x86/dell-wmi.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
=20
diff --git a/drivers/platform/x86/dell-wmi.c
b/drivers/platform/x86/dell-wmi.c
Post by Darren Hart
Post by Pali Rohár
index 390e8e3..25721bf 100644
--- a/drivers/platform/x86/dell-wmi.c
+++ b/drivers/platform/x86/dell-wmi.c
@@ -163,18 +163,24 @@ static void dell_wmi_notify(u32 value, void
*context)
Post by Darren Hart
Post by Pali Rohár
const struct key_entry *key;
int reported_key;
u16 *buffer_entry =3D (u16 *)obj->buffer.pointer;
+ int buffer_size =3D obj->buffer.length/2;
=20
- if (dell_new_hk_type && (buffer_entry[1] !=3D 0x10)) {
+ if (buffer_size >=3D 2 && dell_new_hk_type && buffer_entry[1] !=
=3D
Post by Rafael J. Wysocki
0x10) {
Post by Darren Hart
Post by Pali Rohár
pr_info("Received unknown WMI event (0x%x)\n",
buffer_entry[1]);
kfree(obj);
return;
}
=20
- if (dell_new_hk_type || buffer_entry[1] =3D=3D 0x0)
+ if (buffer_size >=3D 3 && (dell_new_hk_type || buffer_entry[1] =
=3D=3D
Post by Rafael J. Wysocki
0x0))
Post by Darren Hart
Post by Pali Rohár
reported_key =3D (int)buffer_entry[2];
- else
+ else if (buffer_size >=3D 2)
reported_key =3D (int)buffer_entry[1] & 0xffff;
+ else {
+ pr_info("Received unknown WMI event\n");
+ kfree(obj);
+ return;
+ }
=20
key =3D sparse_keymap_entry_from_scancode(dell_wmi_input_dev,
reported_key);
=20
=20
--=20
Sent from my Android device with K-9 Mail. Please excuse my brevity.
Pali Rohár
2014-10-12 16:45:06 UTC
Permalink
On September 29, 2014 4:26:03 PM PDT, "Rafael J. Wysocki"
Post by Rafael J. Wysocki
Post by Darren Hart
Post by Pali Rohár
Without this patch driver dell-wmi is trying to access
elements of
dynamically
Post by Darren Hart
Post by Pali Rohár
allocated array without checking array size. This can
lead to
memory corruption
Post by Darren Hart
Post by Pali Rohár
or kernel panic. This patch adds missing checks for array
size.
Looks good to me. Rafael, any concerns?
Not anything obvious.
Queued, thanks.
Post by Rafael J. Wysocki
Post by Darren Hart
Cc: linux-acpi
Thanks!
Now I see that this patch is in linus tree. Can you sent it to
stable trees too?
--
Pali Rohár
***@gmail.com
Darren Hart
2014-10-12 22:32:38 UTC
Permalink
On September 29, 2014 4:26:03 PM PDT, "Rafael J. Wysocki"=20
Post by Rafael J. Wysocki
Post by Darren Hart
Post by Pali Rohár
Without this patch driver dell-wmi is trying to access
elements of
dynamically
Post by Darren Hart
Post by Pali Rohár
allocated array without checking array size. This can
lead to
memory corruption
Post by Darren Hart
Post by Pali Rohár
or kernel panic. This patch adds missing checks for array size.
=20
=20
Looks good to me. Rafael, any concerns?
Not anything obvious.
=20
Queued, thanks.
=20
Post by Rafael J. Wysocki
Post by Darren Hart
Cc: linux-acpi
Thanks!
=20
Now I see that this patch is in linus tree. Can you sent it to=20
stable trees too?
Hi Pali,

Please see Documentation/stable_kernel_rules.txt for details on how to =
mark
patches for stable when you submit them. Now that it is in mainline, th=
e process
is a bit more manual, you'll find instructions for how to go about that=
in the
same document.

Thanks,

--=20
Darren Hart
Intel Open Source Technology Center

Loading...