From: Xi Wang <xi.wang@gmail.com>
Date: Thu, 29 Dec 2011 04:49:06 +0000 (-0500)
Subject: panasonic-laptop: avoid overflow in acpi_pcc_hotkey_add()
X-Git-Tag: v3.3~24^2
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=e424fb8cc4e6634c10f8159b1ff5618cf7bab9c6;p=linux-platform-drivers-x86.git

panasonic-laptop: avoid overflow in acpi_pcc_hotkey_add()

num_sifr could go negative since acpi_pcc_get_sqty() returns -EINVAL
on error.  Then it could bypass the sanity check (num_sifr > 255).
The subsequent call to kzalloc() would allocate a small buffer, leading
to a memory corruption.

Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Matthew Garrett <mjg@redhat.com>
---

diff --git a/drivers/platform/x86/panasonic-laptop.c b/drivers/platform/x86/panasonic-laptop.c
index 05be30ee158b..ffff8b4b4949 100644
--- a/drivers/platform/x86/panasonic-laptop.c
+++ b/drivers/platform/x86/panasonic-laptop.c
@@ -562,8 +562,8 @@ static int acpi_pcc_hotkey_add(struct acpi_device *device)
 
 	num_sifr = acpi_pcc_get_sqty(device);
 
-	if (num_sifr > 255) {
-		ACPI_DEBUG_PRINT((ACPI_DB_ERROR, "num_sifr too large"));
+	if (num_sifr < 0 || num_sifr > 255) {
+		ACPI_DEBUG_PRINT((ACPI_DB_ERROR, "num_sifr out of range"));
 		return -ENODEV;
 	}