ACPICA: Fix possible buffer overflow during a field unit read operation
Can only happen under these conditions: 1) The DSDT version is 1, meaning integers are 32-bits. 2) The field is between 33 and 64 bits long. It applies cleanly back to ACPICA 20100806+ (Linux v2.6.37+). Signed-off-by: Bob Moore <robert.moore@intel.com> Signed-off-by: Lv Zheng <lv.zheng@intel.com> Cc: 2.6.37+ <stable@vger.kernel.org> Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
This commit is contained in:
Родитель
371deb9500
Коммит
61388f9e5d
|
@ -720,7 +720,19 @@ acpi_ex_extract_from_field(union acpi_operand_object *obj_desc,
|
|||
|
||||
if ((obj_desc->common_field.start_field_bit_offset == 0) &&
|
||||
(obj_desc->common_field.bit_length == access_bit_width)) {
|
||||
status = acpi_ex_field_datum_io(obj_desc, 0, buffer, ACPI_READ);
|
||||
if (buffer_length >= sizeof(u64)) {
|
||||
status =
|
||||
acpi_ex_field_datum_io(obj_desc, 0, buffer,
|
||||
ACPI_READ);
|
||||
} else {
|
||||
/* Use raw_datum (u64) to handle buffers < 64 bits */
|
||||
|
||||
status =
|
||||
acpi_ex_field_datum_io(obj_desc, 0, &raw_datum,
|
||||
ACPI_READ);
|
||||
ACPI_MEMCPY(buffer, &raw_datum, buffer_length);
|
||||
}
|
||||
|
||||
return_ACPI_STATUS(status);
|
||||
}
|
||||
|
||||
|
|
Загрузка…
Ссылка в новой задаче