[BUG -next] pcmcia: setup IRQ to be used by PCMCIA drivers at card insert

public inbox for linux-next@vger.kernel.org
 help / color / mirror / Atom feed

* [BUG -next] pcmcia: setup IRQ to be used by PCMCIA drivers at card insert
@ 2010-08-03  0:38 Christoph Fritz
  2010-08-03  6:17 ` Dominik Brodowski
  2010-08-03  7:40 ` [PATCH] pcmcia: avoid buffer overflow in pcmcia_setup_isa_irq Dominik Brodowski
  0 siblings, 2 replies; 6+ messages in thread
From: Christoph Fritz @ 2010-08-03  0:38 UTC (permalink / raw)
  To: Dominik Brodowski; +Cc: linux-next

Hi,

buffer overflow in next-tree's commit 6f0f38c45a8f2f511c25893e33011ff32fc811db:
 size of array pcmcia_used_irq[] can be less than 32

in drivers/pcmcia/pcmcia_resource.c
   +static int pcmcia_setup_isa_irq(struct pcmcia_device *p_dev, int type)
   +{
   [..]
   +       for (try = 0; try < 64; try++) {
   +               irq = try % 32;
   [..]
   +
   +               /* avoid an IRQ which is already used by another PCMCIA card */
   +               if ((try < 32) && pcmcia_used_irq[irq])
   +                       continue;

drivers/pcmcia/pcmcia_resource.c
   static u8 pcmcia_used_irq[NR_IRQS];

arch/x86/include/asm/irq_vectors.h
   #define NR_IRQS_LEGACY                    16
   [..]
   #else /* !CONFIG_X86_IO_APIC: */
   # define NR_IRQS                        NR_IRQS_LEGACY
   #endif

---
non-tested fix:
---
diff --git a/drivers/pcmcia/pcmcia_resource.c b/drivers/pcmcia/pcmcia_resource.c
index d48437f..f8363e6 100644
--- a/drivers/pcmcia/pcmcia_resource.c
+++ b/drivers/pcmcia/pcmcia_resource.c
@@ -697,15 +697,15 @@ static int pcmcia_setup_isa_irq(struct pcmcia_device *p_dev, int type)
 	u32 mask = s->irq_mask;
 	int ret = -ENODEV;
 
-	for (try = 0; try < 64; try++) {
-		irq = try % 32;
+	for (try = 0; try < (NR_IRQS * 2); try++) {
+		irq = try % NR_IRQS;
 
 		/* marked as available by driver, not blocked by userspace? */
 		if (!((mask >> irq) & 1))
 			continue;
 
 		/* avoid an IRQ which is already used by another PCMCIA card */
-		if ((try < 32) && pcmcia_used_irq[irq])
+		if ((try < NR_IRQS) && pcmcia_used_irq[irq])
 			continue;
 
 		/* register the correct driver, if possible, to check whether

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [BUG -next] pcmcia: setup IRQ to be used by PCMCIA drivers at card insert
  2010-08-03  0:38 [BUG -next] pcmcia: setup IRQ to be used by PCMCIA drivers at card insert Christoph Fritz
@ 2010-08-03  6:17 ` Dominik Brodowski
  2010-08-03 10:23   ` Christoph Fritz
  2010-08-03  7:40 ` [PATCH] pcmcia: avoid buffer overflow in pcmcia_setup_isa_irq Dominik Brodowski
  1 sibling, 1 reply; 6+ messages in thread
From: Dominik Brodowski @ 2010-08-03  6:17 UTC (permalink / raw)
  To: Christoph Fritz; +Cc: linux-next

Hey,

On Tue, Aug 03, 2010 at 02:38:19AM +0200, Christoph Fritz wrote:
> buffer overflow in next-tree's commit 6f0f38c45a8f2f511c25893e33011ff32fc811db:

this bug is not only present in -next, but also in every 2.6 stable kernel
released -- the commit you mention merely moved code around.

> non-tested fix:

could I get your Signed-off-by, please?

Best,
	Dominik

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [PATCH] pcmcia: avoid buffer overflow in pcmcia_setup_isa_irq
  2010-08-03  0:38 [BUG -next] pcmcia: setup IRQ to be used by PCMCIA drivers at card insert Christoph Fritz
  2010-08-03  6:17 ` Dominik Brodowski
@ 2010-08-03  7:40 ` Dominik Brodowski
  2010-08-03  7:42   ` Dominik Brodowski
  2010-08-03 10:26   ` Christoph Fritz
  1 sibling, 2 replies; 6+ messages in thread
From: Dominik Brodowski @ 2010-08-03  7:40 UTC (permalink / raw)
  To: Christoph Fritz, linux-pcmcia; +Cc: linux-next

On Tue, Aug 03, 2010 at 02:38:19AM +0200, Christoph Fritz wrote:
> Hi,
> 
> buffer overflow in next-tree's commit 6f0f38c45a8f2f511c25893e33011ff32fc811db:
>  size of array pcmcia_used_irq[] can be less than 32
> 
> in drivers/pcmcia/pcmcia_resource.c
>    +static int pcmcia_setup_isa_irq(struct pcmcia_device *p_dev, int type)
>    +{
>    [..]
>    +       for (try = 0; try < 64; try++) {
>    +               irq = try % 32;
>    [..]
>    +
>    +               /* avoid an IRQ which is already used by another PCMCIA card */
>    +               if ((try < 32) && pcmcia_used_irq[irq])
>    +                       continue;
> 
> drivers/pcmcia/pcmcia_resource.c
>    static u8 pcmcia_used_irq[NR_IRQS];
> 
> arch/x86/include/asm/irq_vectors.h
>    #define NR_IRQS_LEGACY                    16
>    [..]
>    #else /* !CONFIG_X86_IO_APIC: */
>    # define NR_IRQS                        NR_IRQS_LEGACY
>    #endif
> 
> ---
> non-tested fix:

What about this?


[PATCH] pcmcia: avoid buffer overflow in pcmcia_setup_isa_irq

NR_IRQS may be as low as 16, causing a (harmless?) buffer overflow in
pcmcia_setup_isa_irq():

static u8 pcmcia_used_irq[NR_IRQS];

...

		if ((try < 32) && pcmcia_used_irq[irq])
			continue;

This is read-only, so if this address would be non-zero, it would just
mean we would not attempt an IRQ >= NR_IRQS -- which would fail anyway!
And as request_irq() fails for an irq >= NR_IRQS, the setting code path:

			pcmcia_used_irq[irq]++;

is never reached as well.

Reported-by: Christoph Fritz <chf.fritz@googlemail.com>
CC: stable@kernel.org
Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>

diff --git a/drivers/pcmcia/pcmcia_resource.c b/drivers/pcmcia/pcmcia_resource.c
index d48437f..54aa1c2 100644
--- a/drivers/pcmcia/pcmcia_resource.c
+++ b/drivers/pcmcia/pcmcia_resource.c
@@ -677,7 +677,7 @@ EXPORT_SYMBOL(__pcmcia_request_exclusive_irq);
 #ifdef CONFIG_PCMCIA_PROBE
 
 /* mask of IRQs already reserved by other cards, we should avoid using them */
-static u8 pcmcia_used_irq[NR_IRQS];
+static u8 pcmcia_used_irq[32];
 
 static irqreturn_t test_action(int cpl, void *dev_id)
 {
@@ -700,6 +700,9 @@ static int pcmcia_setup_isa_irq(struct pcmcia_device *p_dev, int type)
 	for (try = 0; try < 64; try++) {
 		irq = try % 32;
 
+		if (irq > NR_IRQS)
+			continue;
+
 		/* marked as available by driver, not blocked by userspace? */
 		if (!((mask >> irq) & 1))
 			continue;

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH] pcmcia: avoid buffer overflow in pcmcia_setup_isa_irq
  2010-08-03  7:40 ` [PATCH] pcmcia: avoid buffer overflow in pcmcia_setup_isa_irq Dominik Brodowski
@ 2010-08-03  7:42   ` Dominik Brodowski
  2010-08-03 10:26   ` Christoph Fritz
  1 sibling, 0 replies; 6+ messages in thread
From: Dominik Brodowski @ 2010-08-03  7:42 UTC (permalink / raw)
  To: Christoph Fritz, linux-pcmcia, linux-next

The corresponding fix for 2.6.34 and earlier would be:

diff --git a/drivers/pcmcia/pcmcia_resource.c b/drivers/pcmcia/pcmcia_resource.c
index 7c3d03b..cfcf868 100644
--- a/drivers/pcmcia/pcmcia_resource.c
+++ b/drivers/pcmcia/pcmcia_resource.c
@@ -41,7 +41,7 @@ module_param(io_speed, int, 0444);
 #ifdef CONFIG_PCMCIA_PROBE
 #include <asm/irq.h>
 /* mask of IRQs already reserved by other cards, we should avoid using them */
-static u8 pcmcia_used_irq[NR_IRQS];
+static u8 pcmcia_used_irq[32];
 #endif
 
 static int pcmcia_adjust_io_region(struct resource *res, unsigned long start,
@@ -768,6 +768,9 @@ int pcmcia_request_irq(struct pcmcia_device *p_dev, irq_req_t *req)
 		for (try = 0; try < 64; try++) {
 			irq = try % 32;
 
+			if (irq > NR_IRQS)
+				continue;
+
 			/* marked as available by driver, and not blocked by userspace? */
 			if (!((mask >> irq) & 1))
 				continue;

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [BUG -next] pcmcia: setup IRQ to be used by PCMCIA drivers at card insert
  2010-08-03  6:17 ` Dominik Brodowski
@ 2010-08-03 10:23   ` Christoph Fritz
  0 siblings, 0 replies; 6+ messages in thread
From: Christoph Fritz @ 2010-08-03 10:23 UTC (permalink / raw)
  To: Dominik Brodowski; +Cc: linux-next

On Tue, 2010-08-03 at 08:17 +0200, Dominik Brodowski wrote:
> Hey,
> 
> On Tue, Aug 03, 2010 at 02:38:19AM +0200, Christoph Fritz wrote:
> > buffer overflow in next-tree's commit 6f0f38c45a8f2f511c25893e33011ff32fc811db:
> 
> this bug is not only present in -next, but also in every 2.6 stable kernel
> released -- the commit you mention merely moved code around.
> 
> > non-tested fix:
> 
> could I get your Signed-off-by, please?

sure, 
 you can add a
Signed-off-by: Christoph Fritz <chf.fritz@googlemail.com>
 to the patches.

thanks,
 chf

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] pcmcia: avoid buffer overflow in pcmcia_setup_isa_irq
  2010-08-03  7:40 ` [PATCH] pcmcia: avoid buffer overflow in pcmcia_setup_isa_irq Dominik Brodowski
  2010-08-03  7:42   ` Dominik Brodowski
@ 2010-08-03 10:26   ` Christoph Fritz
  1 sibling, 0 replies; 6+ messages in thread
From: Christoph Fritz @ 2010-08-03 10:26 UTC (permalink / raw)
  To: Dominik Brodowski; +Cc: linux-pcmcia, linux-next

On Tue, 2010-08-03 at 09:40 +0200, Dominik Brodowski wrote:
> On Tue, Aug 03, 2010 at 02:38:19AM +0200, Christoph Fritz wrote:
> > Hi,
> > 
> > buffer overflow in next-tree's commit 6f0f38c45a8f2f511c25893e33011ff32fc811db:
> >  size of array pcmcia_used_irq[] can be less than 32
> > 
> > in drivers/pcmcia/pcmcia_resource.c
> >    +static int pcmcia_setup_isa_irq(struct pcmcia_device *p_dev, int type)
> >    +{
> >    [..]
> >    +       for (try = 0; try < 64; try++) {
> >    +               irq = try % 32;
> >    [..]
> >    +
> >    +               /* avoid an IRQ which is already used by another PCMCIA card */
> >    +               if ((try < 32) && pcmcia_used_irq[irq])
> >    +                       continue;
> > 
> > drivers/pcmcia/pcmcia_resource.c
> >    static u8 pcmcia_used_irq[NR_IRQS];
> > 
> > arch/x86/include/asm/irq_vectors.h
> >    #define NR_IRQS_LEGACY                    16
> >    [..]
> >    #else /* !CONFIG_X86_IO_APIC: */
> >    # define NR_IRQS                        NR_IRQS_LEGACY
> >    #endif
> > 
> > ---
> > non-tested fix:
> 
> What about this?
> 
> 
> [PATCH] pcmcia: avoid buffer overflow in pcmcia_setup_isa_irq
> 
> NR_IRQS may be as low as 16, causing a (harmless?) buffer overflow in
> pcmcia_setup_isa_irq():
> 
> static u8 pcmcia_used_irq[NR_IRQS];
> 
> ...
> 
> 		if ((try < 32) && pcmcia_used_irq[irq])
> 			continue;
> 
> This is read-only, so if this address would be non-zero, it would just
> mean we would not attempt an IRQ >= NR_IRQS -- which would fail anyway!
> And as request_irq() fails for an irq >= NR_IRQS, the setting code path:
> 
> 			pcmcia_used_irq[irq]++;
> 
> is never reached as well.
> 
> Reported-by: Christoph Fritz <chf.fritz@googlemail.com>
> CC: stable@kernel.org
> Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
> 
> diff --git a/drivers/pcmcia/pcmcia_resource.c b/drivers/pcmcia/pcmcia_resource.c
> index d48437f..54aa1c2 100644
> --- a/drivers/pcmcia/pcmcia_resource.c
> +++ b/drivers/pcmcia/pcmcia_resource.c
> @@ -677,7 +677,7 @@ EXPORT_SYMBOL(__pcmcia_request_exclusive_irq);
>  #ifdef CONFIG_PCMCIA_PROBE
>  
>  /* mask of IRQs already reserved by other cards, we should avoid using them */
> -static u8 pcmcia_used_irq[NR_IRQS];
> +static u8 pcmcia_used_irq[32];
>  
>  static irqreturn_t test_action(int cpl, void *dev_id)
>  {
> @@ -700,6 +700,9 @@ static int pcmcia_setup_isa_irq(struct pcmcia_device *p_dev, int type)
>  	for (try = 0; try < 64; try++) {
>  		irq = try % 32;
>  
> +		if (irq > NR_IRQS)
> +			continue;
> +
>  		/* marked as available by driver, not blocked by userspace? */
>  		if (!((mask >> irq) & 1))
>  			continue;

thanks,
 you can add a

Signed-off-by: Christoph Fritz <chf.fritz@googlemail.com>

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2010-08-03 10:23 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-08-03  0:38 [BUG -next] pcmcia: setup IRQ to be used by PCMCIA drivers at card insert Christoph Fritz
2010-08-03  6:17 ` Dominik Brodowski
2010-08-03 10:23   ` Christoph Fritz
2010-08-03  7:40 ` [PATCH] pcmcia: avoid buffer overflow in pcmcia_setup_isa_irq Dominik Brodowski
2010-08-03  7:42   ` Dominik Brodowski
2010-08-03 10:26   ` Christoph Fritz

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox