[stable] [PATCH] pcmcia: avoid buffer overflow in pcmcia_setup_isa_irq
Greg KH
greg at kroah.com
Mon Aug 23 18:24:05 EDT 2010
On Thu, Aug 12, 2010 at 05:07:47PM +0200, Dominik Brodowski wrote:
> commit 127c03cdbad9bd5af5d7f33bd31a1015a90cb77f upstream.
>
> NR_IRQS may be as low as 16, causing a (harmless?) buffer overflow in
> pcmcia_setup_isa_irq():
>
> static u8 pcmcia_used_irq[NR_IRQS];
>
> ...
>
> if ((try < 32) && pcmcia_used_irq[irq])
> continue;
>
> This is read-only, so if this address would be non-zero, it would just
> mean we would not attempt an IRQ >= NR_IRQS -- which would fail anyway!
> And as request_irq() fails for an irq >= NR_IRQS, the setting code path:
>
> pcmcia_used_irq[irq]++;
>
> is never reached as well.
>
> Reported-by: Christoph Fritz <chf.fritz at googlemail.com>
> Signed-off-by: Dominik Brodowski <linux at dominikbrodowski.net>
> Signed-off-by: Christoph Fritz <chf.fritz at googlemail.com>
>
> ---
>
> Note: a similar patch is already queued for 2.6.35.2. This patch applies to
> 2.6.34 and all other previous stable kernels still maintained.
Thanks, I've applied this to the .32 and .34 stable trees.
greg k-h
More information about the linux-pcmcia
mailing list