ACPI: Fix bound checks for copy_from_user in the acpi /proc code · d9f6501806 - Gogs

ACPI: Fix bound checks for copy_from_user in the acpi /proc code

The ACPI /proc write() code takes an unsigned length argument like any write()
function, but then assigned it to a *signed* integer called "len".
Only after this is a sanity check for len done to make it not larger than 4.

Due to the type change a len < 0 is in principle also possible; this patch
adds a check for this.

Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
Signed-off-by: Len Brown <len.brown@intel.com>

Arjan van de Ven 15 年之前

父節點

0efe5e32c8

當前提交

d9f6501806

共有 1 個文件被更改，包括 2 次插入 和 0 次删除

分割檢視顯示文件統計

						
							+ 2
							
							- 0
						
drivers/acpi/proc.c
							 
								查看文件
							
				@@ -398,6 +398,8 @@ acpi_system_write_wakeup_device(struct file *file,
			
				 	if (len > 4)
			
				 		len = 4;
			
				+	if (len < 0)
			
				+		return -EFAULT;
			
				 	if (copy_from_user(strbuf, buffer, len))
			
				 		return -EFAULT;