Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d9f65018 authored by Arjan van de Ven's avatar Arjan van de Ven Committed by Len Brown
Browse files

ACPI: Fix bound checks for copy_from_user in the acpi /proc code 



The ACPI /proc write() code takes an unsigned length argument like any write()
function, but then assigned it to a *signed* integer called "len".
Only after this is a sanity check for len done to make it not larger than 4.

Due to the type change a len < 0 is in principle also possible; this patch
adds a check for this.

Signed-off-by: default avatarArjan van de Ven <arjan@linux.intel.com>
Signed-off-by: default avatarLen Brown <len.brown@intel.com>
parent 0efe5e32

drivers/acpi/proc.c

+2 −0
Original line number Diff line number Diff line
@@ -398,6 +398,8 @@ acpi_system_write_wakeup_device(struct file *file, 


	if (len > 4)

		len = 4;

	if (len < 0)

		return -EFAULT;



	if (copy_from_user(strbuf, buffer, len))

		return -EFAULT;