[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060801230243.GA8263@kvasir.watson.ibm.com>
Date: Tue, 1 Aug 2006 19:02:44 -0400
From: Amos Waterland <apw@...ibm.com>
To: linux-kernel@...r.kernel.org
Subject: [PATCH] Fix bounds check bug in __register_chrdev_region
The code in __register_chrdev_region checks that if the driver wishing
to register has the same major as an existing driver the new minor range
is strictly less than the existing minor range. However, it does not
also check that the new minor range is strictly greater than the
existing minor range. That is, if driver X has registered with
major=x and minor=0-3, __register_chrdev_region will allow driver Y to
register with major=x and minor=1-4.
I came across this in the context of the Xen virtual console driver, but I
imagine it causes a problem for any driver with the same major number
but different minor numbers as a driver that has registered ahead of it.
Signed-off-by: Amos Waterland <apw@...ibm.com>
---
fs/char_dev.c | 7 +++++--
1 files changed, 5 insertions(+), 2 deletions(-)
5127ecec5817868799c55ac27e8d1651308d1497
diff --git a/fs/char_dev.c b/fs/char_dev.c
index 3483d3c..11c0249 100644
--- a/fs/char_dev.c
+++ b/fs/char_dev.c
@@ -109,10 +109,13 @@ __register_chrdev_region(unsigned int ma
for (cp = &chrdevs[i]; *cp; cp = &(*cp)->next)
if ((*cp)->major > major ||
- ((*cp)->major == major && (*cp)->baseminor >= baseminor))
+ ((*cp)->major == major &&
+ (((*cp)->baseminor >= baseminor) ||
+ ((*cp)->baseminor + (*cp)->minorct > baseminor))))
break;
if (*cp && (*cp)->major == major &&
- (*cp)->baseminor < baseminor + minorct) {
+ (((*cp)->baseminor < baseminor + minorct) ||
+ ((*cp)->baseminor + (*cp)->minorct > baseminor))) {
ret = -EBUSY;
goto out;
}
--
1.0.4
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists