[PATCH] pcmcia: avoid buffer overflow in pcmcia_setup_isa_irq
Dominik Brodowski
linux at dominikbrodowski.net
Thu Aug 12 11:07:47 EDT 2010
commit 127c03cdbad9bd5af5d7f33bd31a1015a90cb77f upstream.
NR_IRQS may be as low as 16, causing a (harmless?) buffer overflow in
pcmcia_setup_isa_irq():
static u8 pcmcia_used_irq[NR_IRQS];
...
if ((try < 32) && pcmcia_used_irq[irq])
continue;
This is read-only, so if this address would be non-zero, it would just
mean we would not attempt an IRQ >= NR_IRQS -- which would fail anyway!
And as request_irq() fails for an irq >= NR_IRQS, the setting code path:
pcmcia_used_irq[irq]++;
is never reached as well.
Reported-by: Christoph Fritz <chf.fritz at googlemail.com>
Signed-off-by: Dominik Brodowski <linux at dominikbrodowski.net>
Signed-off-by: Christoph Fritz <chf.fritz at googlemail.com>
---
Note: a similar patch is already queued for 2.6.35.2. This patch applies to
2.6.34 and all other previous stable kernels still maintained.
diff --git a/drivers/pcmcia/pcmcia_resource.c b/drivers/pcmcia/pcmcia_resource.c
index 7c3d03b..cfcf868 100644
--- a/drivers/pcmcia/pcmcia_resource.c
+++ b/drivers/pcmcia/pcmcia_resource.c
@@ -41,7 +41,7 @@ module_param(io_speed, int, 0444);
#ifdef CONFIG_PCMCIA_PROBE
#include <asm/irq.h>
/* mask of IRQs already reserved by other cards, we should avoid using them */
-static u8 pcmcia_used_irq[NR_IRQS];
+static u8 pcmcia_used_irq[32];
#endif
static int pcmcia_adjust_io_region(struct resource *res, unsigned long start,
@@ -768,6 +768,9 @@ int pcmcia_request_irq(struct pcmcia_device *p_dev, irq_req_t *req)
for (try = 0; try < 64; try++) {
irq = try % 32;
+ if (irq > NR_IRQS)
+ continue;
+
/* marked as available by driver, and not blocked by userspace? */
if (!((mask >> irq) & 1))
continue;
More information about the linux-pcmcia
mailing list