Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 17b82327 authored by Lin Ming's avatar Lin Ming Committed by Len Brown
Browse files

ACPICA: Prevent possible allocation overrun during object copy 



Original code did not handle the case where the object to be
copied was a namespace node.

Signed-off-by: default avatarLin Ming <ming.m.lin@intel.com>
Signed-off-by: default avatarBob Moore <robert.moore@intel.com>
Signed-off-by: default avatarLen Brown <len.brown@intel.com>
parent 3fe50208

drivers/acpi/acpica/utcopy.c

+11 −3
Original line number Diff line number Diff line
@@ -677,16 +677,24 @@ acpi_ut_copy_simple_object(union acpi_operand_object *source_desc, 
	u16 reference_count;

	union acpi_operand_object *next_object;

	acpi_status status;

	acpi_size copy_size;



	/* Save fields from destination that we don't want to overwrite */



	reference_count = dest_desc->common.reference_count;

	next_object = dest_desc->common.next_object;



	/* Copy the entire source object over the destination object */

	/*

	 * Copy the entire source object over the destination object.

	 * Note: Source can be either an operand object or namespace node.

	 */

	copy_size = sizeof(union acpi_operand_object);

	if (ACPI_GET_DESCRIPTOR_TYPE(source_desc) == ACPI_DESC_TYPE_NAMED) {

		copy_size = sizeof(struct acpi_namespace_node);

	}



	ACPI_MEMCPY((char *)dest_desc, (char *)source_desc,

		    sizeof(union acpi_operand_object));

	ACPI_MEMCPY(ACPI_CAST_PTR(char, dest_desc),

		    ACPI_CAST_PTR(char, source_desc), copy_size);



	/* Restore the saved fields */