lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:	Sun, 12 Dec 2010 22:40:15 +0100 (CET)
From:	Jesper Juhl <jj@...osbits.net>
To:	linux-pci@...r.kernel.org
cc:	linux-kernel@...r.kernel.org,
	Jesse Barnes <jbarnes@...tuousgeek.org>,
	Ashok Raj <ashok.raj@...el.com>,
	Shaohua Li <shaohua.li@...el.com>,
	Anil S Keshavamurthy <anil.s.keshavamurthy@...el.com>
Subject: [PATCH] Don't index beyond end of intr_remap_fault_reasons array in
 dmar_get_fault_reason

Hi,

In drivers/pci/dmar.c::dmar_get_fault_reason() we have 7 entries in the 
intr_remap_fault_reasons array and then this code:

...
	if (fault_reason >= 0x20 && (fault_reason <= 0x20 +
				     ARRAY_SIZE(intr_remap_fault_reasons))) {
		*fault_type = INTR_REMAP;
		return intr_remap_fault_reasons[fault_reason - 0x20];
...

This ends up allowing array index values of 0-7 (both inclusive). A value 
of 7 indexes 1 past the end of the array, so I believe the code should be 
this instead:

...
	if (fault_reason >= 0x20 && (fault_reason <= 0x20 +
				     ARRAY_SIZE(intr_remap_fault_reasons) - 1)) {
		*fault_type = INTR_REMAP;
		return intr_remap_fault_reasons[fault_reason - 0x20];
...

Which only allows the actually legal values 0-6.

The patch below makes that change and also (while I was there) removes the 
completely unused  #define MAX_FAULT_REASON_IDX .


Signed-off-by: Jesper Juhl <jj@...osbits.net>
---
 dmar.c |    4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/drivers/pci/dmar.c b/drivers/pci/dmar.c
index 0157708..f210f96 100644
--- a/drivers/pci/dmar.c
+++ b/drivers/pci/dmar.c
@@ -1207,12 +1207,10 @@ static const char *intr_remap_fault_reasons[] =
 	"Blocked an interrupt request due to source-id verification failure",
 };
 
-#define MAX_FAULT_REASON_IDX 	(ARRAY_SIZE(fault_reason_strings) - 1)
-
 const char *dmar_get_fault_reason(u8 fault_reason, int *fault_type)
 {
 	if (fault_reason >= 0x20 && (fault_reason <= 0x20 +
-				     ARRAY_SIZE(intr_remap_fault_reasons))) {
+				     ARRAY_SIZE(intr_remap_fault_reasons) - 1)) {
 		*fault_type = INTR_REMAP;
 		return intr_remap_fault_reasons[fault_reason - 0x20];
 	} else if (fault_reason < ARRAY_SIZE(dma_remap_fault_reasons)) {



-- 
Jesper Juhl <jj@...osbits.net>            http://www.chaosbits.net/
Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
Plain text mails only, please.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ