* [PATCH] drivers/pci: Avoid iterating through memory outside the resource window
@ 2016-01-04 17:12 eocallaghan
2016-01-08 18:23 ` Bjorn Helgaas
0 siblings, 1 reply; 2+ messages in thread
From: eocallaghan @ 2016-01-04 17:12 UTC (permalink / raw)
To: linux-pci
If the 'image' pointer has been advanced more than 'size',
we've already iterated through memory outside the resource window.
We have zero control over whatever we find in the option ROM,
if it's even an option ROM and not just an accident of random
data just happening to look like an option ROM.
Signed-off-by: Edward O'Callaghan <eocallaghan@alterapraxis.com>
---
drivers/pci/rom.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/pci/rom.c b/drivers/pci/rom.c
index eb0ad53..45987ad 100644
--- a/drivers/pci/rom.c
+++ b/drivers/pci/rom.c
@@ -96,6 +96,9 @@ size_t pci_get_rom_size(struct pci_dev *pdev, void
__iomem *rom, size_t size)
last_image = readb(pds + 21) & 0x80;
length = readw(pds + 16);
image += length * 512;
+ /* Avoid iterating through memory outside the resource window */
+ if (image > rom + size)
+ break;
} while (length && !last_image);
/* never return a size larger than the PCI resource window */
--
2.5.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] drivers/pci: Avoid iterating through memory outside the resource window
2016-01-04 17:12 [PATCH] drivers/pci: Avoid iterating through memory outside the resource window eocallaghan
@ 2016-01-08 18:23 ` Bjorn Helgaas
0 siblings, 0 replies; 2+ messages in thread
From: Bjorn Helgaas @ 2016-01-08 18:23 UTC (permalink / raw)
To: eocallaghan; +Cc: linux-pci
On Tue, Jan 05, 2016 at 04:12:38AM +1100, eocallaghan@alterapraxis.com wrote:
> If the 'image' pointer has been advanced more than 'size',
> we've already iterated through memory outside the resource window.
>
> We have zero control over whatever we find in the option ROM,
> if it's even an option ROM and not just an accident of random
> data just happening to look like an option ROM.
>
> Signed-off-by: Edward O'Callaghan <eocallaghan@alterapraxis.com>
This patch was somehow malformed, but I applied it by hand to pci/resource
for v4.5, thanks, Edward!
> ---
> drivers/pci/rom.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/pci/rom.c b/drivers/pci/rom.c
> index eb0ad53..45987ad 100644
> --- a/drivers/pci/rom.c
> +++ b/drivers/pci/rom.c
> @@ -96,6 +96,9 @@ size_t pci_get_rom_size(struct pci_dev *pdev, void
> __iomem *rom, size_t size)
> last_image = readb(pds + 21) & 0x80;
> length = readw(pds + 16);
> image += length * 512;
> + /* Avoid iterating through memory outside the resource window */
> + if (image > rom + size)
> + break;
> } while (length && !last_image);
>
> /* never return a size larger than the PCI resource window */
> --
> 2.5.0
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-pci" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-01-08 18:23 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-01-04 17:12 [PATCH] drivers/pci: Avoid iterating through memory outside the resource window eocallaghan
2016-01-08 18:23 ` Bjorn Helgaas
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).