releases/2.6.35.2/pcmcia-avoid-buffer-overflow-in-pcmcia_setup_isa_irq.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 127c03cdbad9bd5af5d7f33bd31a1015a90cb77f Mon Sep 17 00:00:00 2001
 From: Dominik Brodowski <linux@dominikbrodowski.net>
 Date: Tue, 3 Aug 2010 09:33:45 +0200
 Subject: pcmcia: avoid buffer overflow in pcmcia_setup_isa_irq

 From: Dominik Brodowski <linux@dominikbrodowski.net>

 commit 127c03cdbad9bd5af5d7f33bd31a1015a90cb77f upstream.

 NR_IRQS may be as low as 16, causing a (harmless?) buffer overflow in
 pcmcia_setup_isa_irq():

 static u8 pcmcia_used_irq[NR_IRQS];

 ...

 		if ((try < 32) && pcmcia_used_irq[irq])
 			continue;

 This is read-only, so if this address would be non-zero, it would just
 mean we would not attempt an IRQ >= NR_IRQS -- which would fail anyway!
 And as request_irq() fails for an irq >= NR_IRQS, the setting code path:

 			pcmcia_used_irq[irq]++;

 is never reached as well.

 Reported-by: Christoph Fritz <chf.fritz@googlemail.com>
 Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
 Signed-off-by: Christoph Fritz <chf.fritz@googlemail.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

 ---
  drivers/pcmcia/pcmcia_resource.c |    5 ++++-
  1 file changed, 4 insertions(+), 1 deletion(-)

 --- a/drivers/pcmcia/pcmcia_resource.c
 +++ b/drivers/pcmcia/pcmcia_resource.c
 @@ -651,7 +651,7 @@ EXPORT_SYMBOL(__pcmcia_request_exclusive
  #ifdef CONFIG_PCMCIA_PROBE

  /* mask of IRQs already reserved by other cards, we should avoid using them */
 -static u8 pcmcia_used_irq[NR_IRQS];
 +static u8 pcmcia_used_irq[32];

  static irqreturn_t test_action(int cpl, void *dev_id)
  {
 @@ -674,6 +674,9 @@ static int pcmcia_setup_isa_irq(struct p
  	for (try = 0; try < 64; try++) {
  		irq = try % 32;

 +		if (irq > NR_IRQS)
 +			continue;
 +
  		/* marked as available by driver, not blocked by userspace? */
  		if (!((mask >> irq) & 1))
  			continue;
	From 127c03cdbad9bd5af5d7f33bd31a1015a90cb77f Mon Sep 17 00:00:00 2001
	From: Dominik Brodowski <linux@dominikbrodowski.net>
	Date: Tue, 3 Aug 2010 09:33:45 +0200
	Subject: pcmcia: avoid buffer overflow in pcmcia_setup_isa_irq

	From: Dominik Brodowski <linux@dominikbrodowski.net>

	commit 127c03cdbad9bd5af5d7f33bd31a1015a90cb77f upstream.

	NR_IRQS may be as low as 16, causing a (harmless?) buffer overflow in
	pcmcia_setup_isa_irq():

	static u8 pcmcia_used_irq[NR_IRQS];

	...

	if ((try < 32) && pcmcia_used_irq[irq])
	continue;

	This is read-only, so if this address would be non-zero, it would just
	mean we would not attempt an IRQ >= NR_IRQS -- which would fail anyway!
	And as request_irq() fails for an irq >= NR_IRQS, the setting code path:

	pcmcia_used_irq[irq]++;

	is never reached as well.

	Reported-by: Christoph Fritz <chf.fritz@googlemail.com>
	Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
	Signed-off-by: Christoph Fritz <chf.fritz@googlemail.com>
	Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

	---
	drivers/pcmcia/pcmcia_resource.c \| 5 ++++-
	1 file changed, 4 insertions(+), 1 deletion(-)

	--- a/drivers/pcmcia/pcmcia_resource.c
	+++ b/drivers/pcmcia/pcmcia_resource.c
	@@ -651,7 +651,7 @@ EXPORT_SYMBOL(__pcmcia_request_exclusive
	#ifdef CONFIG_PCMCIA_PROBE

	/* mask of IRQs already reserved by other cards, we should avoid using them */
	-static u8 pcmcia_used_irq[NR_IRQS];
	+static u8 pcmcia_used_irq[32];

	static irqreturn_t test_action(int cpl, void *dev_id)
	{
	@@ -674,6 +674,9 @@ static int pcmcia_setup_isa_irq(struct p
	for (try = 0; try < 64; try++) {
	irq = try % 32;

	+ if (irq > NR_IRQS)
	+ continue;
	+
	/* marked as available by driver, not blocked by userspace? */
	if (!((mask >> irq) & 1))
	continue;