Google Git
Sign in
kernel / pub / scm / linux / kernel / git / paulg / longterm-queue-5.2 / 3667dbef7d8a3829e020a1a910312c9260501cd0 / . / release / 5.2.40 / cmd64x-potential-buffer-overflow-in-cmd64x_program_t.patch
blob: 481bd1682587cb5b749295a01221e67b2ca42f85 [file] [log] [blame]
From 361e2e315b7c987cf0f92c1cbeeb0b2afe782314 Mon Sep 17 00:00:00 2001
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Tue, 7 Jan 2020 16:04:41 +0300
Subject: [PATCH] cmd64x: potential buffer overflow in cmd64x_program_timings()
commit 117fcc3053606d8db5cef8821dca15022ae578bb upstream.
The "drive->dn" value is a u8 and it is controlled by root only, but
it could be out of bounds here so let's check.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
diff --git a/drivers/ide/cmd64x.c b/drivers/ide/cmd64x.c
index a1898e11b04e..943bf944bf72 100644
--- a/drivers/ide/cmd64x.c
+++ b/drivers/ide/cmd64x.c
@@ -66,6 +66,9 @@ static void cmd64x_program_timings(ide_drive_t *drive, u8 mode)
struct ide_timing t;
u8 arttim = 0;
+ if (drive->dn >= ARRAY_SIZE(drwtim_regs))
+ return;
+
ide_timing_compute(drive, mode, &t, T, 0);
/*
--
2.7.4