| Message ID | 20220413073744.GB8812@kili (mailing list archive) |
|---|---|
| State | Accepted, archived |
| Headers | show |
| Series | platform/x86: asus-wmi: Potential buffer overflow in asus_wmi_evaluate_method_buf() | expand |
Hi, On 4/13/22 09:37, Dan Carpenter wrote: > This code tests for if the obj->buffer.length is larger than the buffer > but then it just does the memcpy() anyway. > > Fixes: 0f0ac158d28f ("platform/x86: asus-wmi: Add support for custom fan curves") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Thank you for your patch, I've applied this patch to my review-hans branch: https://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86.git/log/?h=review-hans Note it will show up in my review-hans branch once I've pushed my local branch there, which might take a while. Once I've run some tests on this branch the patches there will be added to the platform-drivers-x86/for-next branch and eventually will be included in the pdx86 pull-request to Linus for the next merge-window. Regards, Hans > --- > drivers/platform/x86/asus-wmi.c | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > > diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c > index 2104a2621e50..7e3c0a8e3997 100644 > --- a/drivers/platform/x86/asus-wmi.c > +++ b/drivers/platform/x86/asus-wmi.c > @@ -371,10 +371,14 @@ static int asus_wmi_evaluate_method_buf(u32 method_id, > > switch (obj->type) { > case ACPI_TYPE_BUFFER: > - if (obj->buffer.length > size) > + if (obj->buffer.length > size) { > err = -ENOSPC; > - if (obj->buffer.length == 0) > + break; > + } > + if (obj->buffer.length == 0) { > err = -ENODATA; > + break; > + } > > memcpy(ret_buffer, obj->buffer.pointer, obj->buffer.length); > break;
diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c index 2104a2621e50..7e3c0a8e3997 100644 --- a/drivers/platform/x86/asus-wmi.c +++ b/drivers/platform/x86/asus-wmi.c @@ -371,10 +371,14 @@ static int asus_wmi_evaluate_method_buf(u32 method_id, switch (obj->type) { case ACPI_TYPE_BUFFER: - if (obj->buffer.length > size) + if (obj->buffer.length > size) { err = -ENOSPC; - if (obj->buffer.length == 0) + break; + } + if (obj->buffer.length == 0) { err = -ENODATA; + break; + } memcpy(ret_buffer, obj->buffer.pointer, obj->buffer.length); break;
This code tests for if the obj->buffer.length is larger than the buffer but then it just does the memcpy() anyway. Fixes: 0f0ac158d28f ("platform/x86: asus-wmi: Add support for custom fan curves") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- drivers/platform/x86/asus-wmi.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-)