From: Arjan van de Ven <arjan@linux.intel.com>
Date: Sat, 26 Sep 2009 18:50:25 +0000 (+0200)
Subject: ACPI: Fix bound checks for copy_from_user in the acpi /proc code
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=d9f65018065ee1b161a85f54132193f248a45439;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git

ACPI: Fix bound checks for copy_from_user in the acpi /proc code

The ACPI /proc write() code takes an unsigned length argument like any write()
function, but then assigned it to a *signed* integer called "len".
Only after this is a sanity check for len done to make it not larger than 4.

Due to the type change a len < 0 is in principle also possible; this patch
adds a check for this.

Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
Signed-off-by: Len Brown <len.brown@intel.com>
---

diff --git a/drivers/acpi/proc.c b/drivers/acpi/proc.c
index d0d550d22a6d..f8b6f555ba52 100644
--- a/drivers/acpi/proc.c
+++ b/drivers/acpi/proc.c
@@ -398,6 +398,8 @@ acpi_system_write_wakeup_device(struct file *file,
 
 	if (len > 4)
 		len = 4;
+	if (len < 0)
+		return -EFAULT;
 
 	if (copy_from_user(strbuf, buffer, len))
 		return -EFAULT;