aboutsummaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorDan Carpenter <dan.carpenter@oracle.com>2012-09-01 15:54:07 -0400
committerMatthew Garrett <mjg@redhat.com>2012-09-13 16:46:31 -0400
commiteceeb4371240aff22e9a535a2bc57d2311820942 (patch)
tree5b477baa91dc4ca2b344d160b780e1a3339275c9 /drivers
parentf661848b74b33069b0b7068c414bd282c407781d (diff)
thinkpad_acpi: buffer overflow in fan_get_status()
The acpi_evalf() function modifies four bytes of data but in fan_get_status() we pass a pointer to u8. I have modified the function to use type checking now. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Matthew Garrett <mjg@redhat.com>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/platform/x86/thinkpad_acpi.c13
1 files changed, 7 insertions, 6 deletions
diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c
index 80e377949314..52daaa816e53 100644
--- a/drivers/platform/x86/thinkpad_acpi.c
+++ b/drivers/platform/x86/thinkpad_acpi.c
@@ -545,7 +545,7 @@ TPACPI_HANDLE(hkey, ec, "\\_SB.HKEY", /* 600e/x, 770e, 770x */
545 */ 545 */
546 546
547static int acpi_evalf(acpi_handle handle, 547static int acpi_evalf(acpi_handle handle,
548 void *res, char *method, char *fmt, ...) 548 int *res, char *method, char *fmt, ...)
549{ 549{
550 char *fmt0 = fmt; 550 char *fmt0 = fmt;
551 struct acpi_object_list params; 551 struct acpi_object_list params;
@@ -606,7 +606,7 @@ static int acpi_evalf(acpi_handle handle,
606 success = (status == AE_OK && 606 success = (status == AE_OK &&
607 out_obj.type == ACPI_TYPE_INTEGER); 607 out_obj.type == ACPI_TYPE_INTEGER);
608 if (success && res) 608 if (success && res)
609 *(int *)res = out_obj.integer.value; 609 *res = out_obj.integer.value;
610 break; 610 break;
611 case 'v': /* void */ 611 case 'v': /* void */
612 success = status == AE_OK; 612 success = status == AE_OK;
@@ -7386,17 +7386,18 @@ static int fan_get_status(u8 *status)
7386 * Add TPACPI_FAN_RD_ACPI_FANS ? */ 7386 * Add TPACPI_FAN_RD_ACPI_FANS ? */
7387 7387
7388 switch (fan_status_access_mode) { 7388 switch (fan_status_access_mode) {
7389 case TPACPI_FAN_RD_ACPI_GFAN: 7389 case TPACPI_FAN_RD_ACPI_GFAN: {
7390 /* 570, 600e/x, 770e, 770x */ 7390 /* 570, 600e/x, 770e, 770x */
7391 int res;
7391 7392
7392 if (unlikely(!acpi_evalf(gfan_handle, &s, NULL, "d"))) 7393 if (unlikely(!acpi_evalf(gfan_handle, &res, NULL, "d")))
7393 return -EIO; 7394 return -EIO;
7394 7395
7395 if (likely(status)) 7396 if (likely(status))
7396 *status = s & 0x07; 7397 *status = res & 0x07;
7397 7398
7398 break; 7399 break;
7399 7400 }
7400 case TPACPI_FAN_RD_TPEC: 7401 case TPACPI_FAN_RD_TPEC:
7401 /* all except 570, 600e/x, 770e, 770x */ 7402 /* all except 570, 600e/x, 770e, 770x */
7402 if (unlikely(!acpi_ec_read(fan_status_offset, &s))) 7403 if (unlikely(!acpi_ec_read(fan_status_offset, &s)))