From d9f65018065ee1b161a85f54132193f248a45439 Mon Sep 17 00:00:00 2001
From: Arjan van de Ven <arjan@linux.intel.com>
Date: Sat, 26 Sep 2009 20:50:25 +0200
Subject: ACPI: Fix bound checks for copy_from_user in the acpi /proc code

The ACPI /proc write() code takes an unsigned length argument like any write()
function, but then assigned it to a *signed* integer called "len".
Only after this is a sanity check for len done to make it not larger than 4.

Due to the type change a len < 0 is in principle also possible; this patch
adds a check for this.

Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
Signed-off-by: Len Brown <len.brown@intel.com>
---
 drivers/acpi/proc.c | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'drivers/acpi/proc.c')

diff --git a/drivers/acpi/proc.c b/drivers/acpi/proc.c
index d0d550d22a6..f8b6f555ba5 100644
--- a/drivers/acpi/proc.c
+++ b/drivers/acpi/proc.c
@@ -398,6 +398,8 @@ acpi_system_write_wakeup_device(struct file *file,
 
 	if (len > 4)
 		len = 4;
+	if (len < 0)
+		return -EFAULT;
 
 	if (copy_from_user(strbuf, buffer, len))
 		return -EFAULT;
-- 
cgit v1.2.3