| Message ID | 20240903083533.9403-1-hdegoede@redhat.com (mailing list archive) |
|---|---|
| State | Changes Requested, archived |
| Headers | show |
| Series | [1/3] platform/x86: panasonic-laptop: Check minimum SQTY value | expand |
On Tue, 3 Sep 2024, Hans de Goede wrote: > The panasonic laptop code in various places uses the sinf array with index > values of 0 - SINF_CUR_BRIGHT(0x0d) without checking that the sinf array > is big enough. > > Check for a minimum SQTY value of SINF_CUR_BRIGHT to avoid out of bounds > accesses of the sinf array. This description is a bit misleading. The patch is _not_ adding a bounds check to sinf array access paths but ensuring the allocation is big enough for those accesses. It took me a while to figure out so I suggest the wording is improved to clearly explain how the problem has been addressed.
diff --git a/drivers/platform/x86/panasonic-laptop.c b/drivers/platform/x86/panasonic-laptop.c index cf845ee1c7b1..d7f9017a5a13 100644 --- a/drivers/platform/x86/panasonic-laptop.c +++ b/drivers/platform/x86/panasonic-laptop.c @@ -963,8 +963,8 @@ static int acpi_pcc_hotkey_add(struct acpi_device *device) num_sifr = acpi_pcc_get_sqty(device); - if (num_sifr < 0 || num_sifr > 255) { - pr_err("num_sifr out of range"); + if (num_sifr < SINF_CUR_BRIGHT || num_sifr > 255) { + pr_err("num_sifr %d out of range %d - 255\n", num_sifr, SINF_CUR_BRIGHT); return -ENODEV; }
The panasonic laptop code in various places uses the sinf array with index values of 0 - SINF_CUR_BRIGHT(0x0d) without checking that the sinf array is big enough. Check for a minimum SQTY value of SINF_CUR_BRIGHT to avoid out of bounds accesses of the sinf array. Note SQTY returning SINF_CUR_BRIGHT is ok because the driver adds one extra entry to the sinf array. Fixes: e424fb8cc4e6 ("panasonic-laptop: avoid overflow in acpi_pcc_hotkey_add()") Cc: stable@vger.kernel.org Tested-by: James Harmison <jharmison@redhat.com> Signed-off-by: Hans de Goede <hdegoede@redhat.com> --- drivers/platform/x86/panasonic-laptop.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)