Skip to content

Commit eb617dd

Browse files
kuu-rtij-intel
kuu-rt
authored and
ij-intel
committed
platform/x86: dell-wmi-sysman: Fix WMI data block retrieval in sysfs callbacks
After retrieving WMI data blocks in sysfs callbacks, check for the validity of them before dereferencing their content. Reported-by: Jan Graczyk <[email protected]> Closes: https://lore.kernel.org/r/CAHk-=wgMiSKXf7SvQrfEnxVtmT=QVQPjJdNjfm3aXS7wc=rzTw@mail.gmail.com/ Fixes: e8a60aa ("platform/x86: Introduce support for Systems Management Driver over WMI for Dell Systems") Suggested-by: Linus Torvalds <[email protected]> Reviewed-by: Armin Wolf <[email protected]> Signed-off-by: Kurt Borja <[email protected]> Link: https://lore.kernel.org/r/[email protected] Reviewed-by: Ilpo Järvinen <[email protected]> Signed-off-by: Ilpo Järvinen <[email protected]>
1 parent 50b6914 commit eb617dd

File tree

6 files changed

+21
-12
lines changed

6 files changed

+21
-12
lines changed

drivers/platform/x86/dell/dell-wmi-sysman/dell-wmi-sysman.h

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -89,6 +89,11 @@ extern struct wmi_sysman_priv wmi_priv;
8989

9090
enum { ENUM, INT, STR, PO };
9191

92+
#define ENUM_MIN_ELEMENTS 8
93+
#define INT_MIN_ELEMENTS 9
94+
#define STR_MIN_ELEMENTS 8
95+
#define PO_MIN_ELEMENTS 4
96+
9297
enum {
9398
ATTR_NAME,
9499
DISPL_NAME_LANG_CODE,

drivers/platform/x86/dell/dell-wmi-sysman/enum-attributes.c

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -23,9 +23,10 @@ static ssize_t current_value_show(struct kobject *kobj, struct kobj_attribute *a
2323
obj = get_wmiobj_pointer(instance_id, DELL_WMI_BIOS_ENUMERATION_ATTRIBUTE_GUID);
2424
if (!obj)
2525
return -EIO;
26-
if (obj->package.elements[CURRENT_VAL].type != ACPI_TYPE_STRING) {
26+
if (obj->type != ACPI_TYPE_PACKAGE || obj->package.count < ENUM_MIN_ELEMENTS ||
27+
obj->package.elements[CURRENT_VAL].type != ACPI_TYPE_STRING) {
2728
kfree(obj);
28-
return -EINVAL;
29+
return -EIO;
2930
}
3031
ret = snprintf(buf, PAGE_SIZE, "%s\n", obj->package.elements[CURRENT_VAL].string.pointer);
3132
kfree(obj);

drivers/platform/x86/dell/dell-wmi-sysman/int-attributes.c

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -25,9 +25,10 @@ static ssize_t current_value_show(struct kobject *kobj, struct kobj_attribute *a
2525
obj = get_wmiobj_pointer(instance_id, DELL_WMI_BIOS_INTEGER_ATTRIBUTE_GUID);
2626
if (!obj)
2727
return -EIO;
28-
if (obj->package.elements[CURRENT_VAL].type != ACPI_TYPE_INTEGER) {
28+
if (obj->type != ACPI_TYPE_PACKAGE || obj->package.count < INT_MIN_ELEMENTS ||
29+
obj->package.elements[CURRENT_VAL].type != ACPI_TYPE_INTEGER) {
2930
kfree(obj);
30-
return -EINVAL;
31+
return -EIO;
3132
}
3233
ret = snprintf(buf, PAGE_SIZE, "%lld\n", obj->package.elements[CURRENT_VAL].integer.value);
3334
kfree(obj);

drivers/platform/x86/dell/dell-wmi-sysman/passobj-attributes.c

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -26,9 +26,10 @@ static ssize_t is_enabled_show(struct kobject *kobj, struct kobj_attribute *attr
2626
obj = get_wmiobj_pointer(instance_id, DELL_WMI_BIOS_PASSOBJ_ATTRIBUTE_GUID);
2727
if (!obj)
2828
return -EIO;
29-
if (obj->package.elements[IS_PASS_SET].type != ACPI_TYPE_INTEGER) {
29+
if (obj->type != ACPI_TYPE_PACKAGE || obj->package.count < PO_MIN_ELEMENTS ||
30+
obj->package.elements[IS_PASS_SET].type != ACPI_TYPE_INTEGER) {
3031
kfree(obj);
31-
return -EINVAL;
32+
return -EIO;
3233
}
3334
ret = snprintf(buf, PAGE_SIZE, "%lld\n", obj->package.elements[IS_PASS_SET].integer.value);
3435
kfree(obj);

drivers/platform/x86/dell/dell-wmi-sysman/string-attributes.c

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -25,9 +25,10 @@ static ssize_t current_value_show(struct kobject *kobj, struct kobj_attribute *a
2525
obj = get_wmiobj_pointer(instance_id, DELL_WMI_BIOS_STRING_ATTRIBUTE_GUID);
2626
if (!obj)
2727
return -EIO;
28-
if (obj->package.elements[CURRENT_VAL].type != ACPI_TYPE_STRING) {
28+
if (obj->type != ACPI_TYPE_PACKAGE || obj->package.count < STR_MIN_ELEMENTS ||
29+
obj->package.elements[CURRENT_VAL].type != ACPI_TYPE_STRING) {
2930
kfree(obj);
30-
return -EINVAL;
31+
return -EIO;
3132
}
3233
ret = snprintf(buf, PAGE_SIZE, "%s\n", obj->package.elements[CURRENT_VAL].string.pointer);
3334
kfree(obj);

drivers/platform/x86/dell/dell-wmi-sysman/sysman.c

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -407,10 +407,10 @@ static int init_bios_attributes(int attr_type, const char *guid)
407407
return retval;
408408

409409
switch (attr_type) {
410-
case ENUM: min_elements = 8; break;
411-
case INT: min_elements = 9; break;
412-
case STR: min_elements = 8; break;
413-
case PO: min_elements = 4; break;
410+
case ENUM: min_elements = ENUM_MIN_ELEMENTS; break;
411+
case INT: min_elements = INT_MIN_ELEMENTS; break;
412+
case STR: min_elements = STR_MIN_ELEMENTS; break;
413+
case PO: min_elements = PO_MIN_ELEMENTS; break;
414414
default:
415415
pr_err("Error: Unknown attr_type: %d\n", attr_type);
416416
return -EINVAL;

0 commit comments

Comments
 (0)