[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20080801215755.4761.92512.stgit@tigger.helgaas>
Date: Fri, 01 Aug 2008 15:58:17 -0600
From: Bjorn Helgaas <bjorn.helgaas@...com>
To: Andi Kleen <andi@...stfloor.org>
Cc: Bjorn Helgaas <bjorn.helgaas@...com>,
Andrew Morton <akpm@...ux-foundation.org>,
Natalie Protasevich <protasnb@...il.com>,
Jack Steiner <steiner@....com>,
Hidetoshi Seto <seto.hidetoshi@...fujitsu.com>,
linux-acpi@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [PATCH] ACPI: bounds check IRQ to prevent memory corruption
acpi_penalize_isa_irq() should validate irq before using it to
index the acpi_irq_penalty[] table.
Here's the path I'm concerned about:
pnpacpi_parse_allocated_irqresource()
{
...
irq = acpi_register_gsi(gsi, triggering, polarity);
if (irq >= 0)
pcibios_penalize_isa_irq(irq, 1);
There's no guarantee that acpi_register_gsi() will return an IRQ
within the bounds of acpi_irq_penalty[].
I have not seen a failure I can attribute to this. However,
ACPI_MAX_IRQS is only 256, and I'm pretty sure ia64 can have
IRQs larger than that.
I think this should go in 2.6.27.
Signed-off-by: Bjorn Helgaas <bjorn.helgaas@...com>
---
drivers/acpi/pci_link.c | 12 +++++++-----
1 files changed, 7 insertions(+), 5 deletions(-)
diff --git a/drivers/acpi/pci_link.c b/drivers/acpi/pci_link.c
index 89f3b2a..cf47805 100644
--- a/drivers/acpi/pci_link.c
+++ b/drivers/acpi/pci_link.c
@@ -849,7 +849,7 @@ static int __init acpi_irq_penalty_update(char *str, int used)
if (irq < 0)
continue;
- if (irq >= ACPI_MAX_IRQS)
+ if (irq >= ARRAY_SIZE(acpi_irq_penalty))
continue;
if (used)
@@ -872,10 +872,12 @@ static int __init acpi_irq_penalty_update(char *str, int used)
*/
void acpi_penalize_isa_irq(int irq, int active)
{
- if (active)
- acpi_irq_penalty[irq] += PIRQ_PENALTY_ISA_USED;
- else
- acpi_irq_penalty[irq] += PIRQ_PENALTY_PCI_USING;
+ if (irq >= 0 && irq < ARRAY_SIZE(acpi_irq_penalty)) {
+ if (active)
+ acpi_irq_penalty[irq] += PIRQ_PENALTY_ISA_USED;
+ else
+ acpi_irq_penalty[irq] += PIRQ_PENALTY_PCI_USING;
+ }
}
/*
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists