acpi/nfit: improve bounds checking for 'func' (adc3530d) · Commits · Summer2022 / 22b970497

Commit adc3530d authored 2 years ago by

Dan Carpenter Committed by Yongqiang Liu 2 years ago

acpi/nfit: improve bounds checking for 'func'

mainline inclusion
from mainline-v5.7-rc1
commit 01091c49
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I5LBE7


CVE: NA

--------------------------------

The 'func' variable can come from the user in the __nd_ioctl().  If it's
too high then the (1 << func) shift in acpi_nfit_clear_to_send() is
undefined.  In acpi_nfit_ctl() we pass 'func' to test_bit(func, &dsm_mask)
which could result in an out of bounds access.

To fix these issues, I introduced the NVDIMM_CMD_MAX (31) define and
updated nfit_dsm_revid() to use that define as well instead of magic
numbers.

Fixes: 11189c10 ("acpi/nfit: Fix command-supported detection")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Dan Williams <dan.j.williams@intel.com>
Link: https://lore.kernel.org/r/20200225161927.hvftuq7kjn547fyj@kili.mountain


Signed-off-by: Dan Williams <dan.j.williams@intel.com>

Conflicts:
	drivers/acpi/nfit/core.c
	drivers/acpi/nfit/nfit.h
Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
Reviewed-by: Hanjun Guo <guohanjun@huawei.com>
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>

parent e0e80484

No related branches found

No related tags found

Hide whitespace changes

Inline Side-by-side

Showing with 5 additions and 3 deletions

Please register or to comment