| From 127c03cdbad9bd5af5d7f33bd31a1015a90cb77f Mon Sep 17 00:00:00 2001 |
| From: Dominik Brodowski <linux@dominikbrodowski.net> |
| Date: Tue, 3 Aug 2010 09:33:45 +0200 |
| Subject: pcmcia: avoid buffer overflow in pcmcia_setup_isa_irq |
| |
| From: Dominik Brodowski <linux@dominikbrodowski.net> |
| |
| commit 127c03cdbad9bd5af5d7f33bd31a1015a90cb77f upstream. |
| |
| NR_IRQS may be as low as 16, causing a (harmless?) buffer overflow in |
| pcmcia_setup_isa_irq(): |
| |
| static u8 pcmcia_used_irq[NR_IRQS]; |
| |
| ... |
| |
| if ((try < 32) && pcmcia_used_irq[irq]) |
| continue; |
| |
| This is read-only, so if this address would be non-zero, it would just |
| mean we would not attempt an IRQ >= NR_IRQS -- which would fail anyway! |
| And as request_irq() fails for an irq >= NR_IRQS, the setting code path: |
| |
| pcmcia_used_irq[irq]++; |
| |
| is never reached as well. |
| |
| Reported-by: Christoph Fritz <chf.fritz@googlemail.com> |
| Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net> |
| Signed-off-by: Christoph Fritz <chf.fritz@googlemail.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| drivers/pcmcia/pcmcia_resource.c | 5 ++++- |
| 1 file changed, 4 insertions(+), 1 deletion(-) |
| |
| --- a/drivers/pcmcia/pcmcia_resource.c |
| +++ b/drivers/pcmcia/pcmcia_resource.c |
| @@ -651,7 +651,7 @@ EXPORT_SYMBOL(__pcmcia_request_exclusive |
| #ifdef CONFIG_PCMCIA_PROBE |
| |
| /* mask of IRQs already reserved by other cards, we should avoid using them */ |
| -static u8 pcmcia_used_irq[NR_IRQS]; |
| +static u8 pcmcia_used_irq[32]; |
| |
| static irqreturn_t test_action(int cpl, void *dev_id) |
| { |
| @@ -674,6 +674,9 @@ static int pcmcia_setup_isa_irq(struct p |
| for (try = 0; try < 64; try++) { |
| irq = try % 32; |
| |
| + if (irq > NR_IRQS) |
| + continue; |
| + |
| /* marked as available by driver, not blocked by userspace? */ |
| if (!((mask >> irq) & 1)) |
| continue; |