Skip to content

Commit

Permalink
ACPICA: Fix possible buffer overflow during a field unit read operation
Browse files Browse the repository at this point in the history
Can only happen under these conditions: 1) The DSDT version is 1,
meaning integers are 32-bits.  2) The field is between 33 and 64
bits long.

It applies cleanly back to ACPICA 20100806+ (Linux v2.6.37+).

Signed-off-by: Bob Moore <robert.moore@intel.com>
Signed-off-by: Lv Zheng <lv.zheng@intel.com>
Cc: 2.6.37+ <stable@vger.kernel.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
  • Loading branch information
Bob Moore authored and Rafael J. Wysocki committed May 8, 2013
1 parent 371deb9 commit 61388f9
Showing 1 changed file with 13 additions and 1 deletion.
14 changes: 13 additions & 1 deletion drivers/acpi/acpica/exfldio.c
Original file line number Diff line number Diff line change
Expand Up @@ -720,7 +720,19 @@ acpi_ex_extract_from_field(union acpi_operand_object *obj_desc,

if ((obj_desc->common_field.start_field_bit_offset == 0) &&
(obj_desc->common_field.bit_length == access_bit_width)) {
status = acpi_ex_field_datum_io(obj_desc, 0, buffer, ACPI_READ);
if (buffer_length >= sizeof(u64)) {
status =
acpi_ex_field_datum_io(obj_desc, 0, buffer,
ACPI_READ);
} else {
/* Use raw_datum (u64) to handle buffers < 64 bits */

status =
acpi_ex_field_datum_io(obj_desc, 0, &raw_datum,
ACPI_READ);
ACPI_MEMCPY(buffer, &raw_datum, buffer_length);
}

return_ACPI_STATUS(status);
}

Expand Down

0 comments on commit 61388f9

Please sign in to comment.