On Tue, 3 Sep 2024, Hans de Goede wrote:
The panasonic laptop code in various places uses the sinf array with index
values of 0 - SINF_CUR_BRIGHT(0x0d) without checking that the sinf array
is big enough.
Check for a minimum SQTY value of SINF_CUR_BRIGHT to avoid out of bounds
accesses of the sinf array.
This description is a bit misleading. The patch is _not_ adding a bounds
check to sinf array access paths but ensuring the allocation is big
enough for those accesses. It took me a while to figure out so I suggest
the wording is improved to clearly explain how the problem has been
addressed.
--
i.
> Note SQTY returning SINF_CUR_BRIGHT is ok because the driver adds one extra
> entry to the sinf array.
>
> Fixes: e424fb8cc4e6 ("panasonic-laptop: avoid overflow in acpi_pcc_hotkey_add()")
> Cc: stable@vger.kernel.org
> Tested-by: James Harmison
jharmison@redhat.com
> Signed-off-by: Hans de Goede
hdegoede@redhat.com
> ---
> drivers/platform/x86/panasonic-laptop.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/platform/x86/panasonic-laptop.c b/drivers/platform/x86/panasonic-laptop.c
> index cf845ee1c7b1..d7f9017a5a13 100644
> --- a/drivers/platform/x86/panasonic-laptop.c
> +++ b/drivers/platform/x86/panasonic-laptop.c
> @@ -963,8 +963,8 @@ static int acpi_pcc_hotkey_add(struct acpi_device *device)
>
> num_sifr = acpi_pcc_get_sqty(device);
>
> - if (num_sifr < 0 || num_sifr > 255) {
> - pr_err("num_sifr out of range");
> + if (num_sifr < SINF_CUR_BRIGHT || num_sifr > 255) {
> + pr_err("num_sifr %d out of range %d - 255\n", num_sifr, SINF_CUR_BRIGHT);
> return -ENODEV;
> }
>
>