Commit eceeb437 authored by Dan Carpenter's avatar Dan Carpenter Committed by Matthew Garrett

thinkpad_acpi: buffer overflow in fan_get_status()

The acpi_evalf() function modifies four bytes of data but in
fan_get_status() we pass a pointer to u8.  I have modified the
function to use type checking now.
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarMatthew Garrett <mjg@redhat.com>
parent f661848b
......@@ -545,7 +545,7 @@ TPACPI_HANDLE(hkey, ec, "\\_SB.HKEY", /* 600e/x, 770e, 770x */
*/
static int acpi_evalf(acpi_handle handle,
void *res, char *method, char *fmt, ...)
int *res, char *method, char *fmt, ...)
{
char *fmt0 = fmt;
struct acpi_object_list params;
......@@ -606,7 +606,7 @@ static int acpi_evalf(acpi_handle handle,
success = (status == AE_OK &&
out_obj.type == ACPI_TYPE_INTEGER);
if (success && res)
*(int *)res = out_obj.integer.value;
*res = out_obj.integer.value;
break;
case 'v': /* void */
success = status == AE_OK;
......@@ -7386,17 +7386,18 @@ static int fan_get_status(u8 *status)
* Add TPACPI_FAN_RD_ACPI_FANS ? */
switch (fan_status_access_mode) {
case TPACPI_FAN_RD_ACPI_GFAN:
case TPACPI_FAN_RD_ACPI_GFAN: {
/* 570, 600e/x, 770e, 770x */
int res;
if (unlikely(!acpi_evalf(gfan_handle, &s, NULL, "d")))
if (unlikely(!acpi_evalf(gfan_handle, &res, NULL, "d")))
return -EIO;
if (likely(status))
*status = s & 0x07;
*status = res & 0x07;
break;
}
case TPACPI_FAN_RD_TPEC:
/* all except 570, 600e/x, 770e, 770x */
if (unlikely(!acpi_ec_read(fan_status_offset, &s)))
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment