From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: stable-review@kernel.org, torvalds@linux-foundation.org,
akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
Dominik Brodowski <linux@dominikbrodowski.net>,
Christoph Fritz <chf.fritz@googlemail.com>
Subject: [39/59] pcmcia: avoid buffer overflow in pcmcia_setup_isa_irq
Date: Tue, 24 Aug 2010 15:24:51 -0700 [thread overview]
Message-ID: <20100824222525.796700864@clark.site> (raw)
In-Reply-To: <20100824224625.GA5449@kroah.com>
2.6.32-stable review patch. If anyone has any objections, please let us know.
------------------
From: Dominik Brodowski <linux@dominikbrodowski.net>
commit 127c03cdbad9bd5af5d7f33bd31a1015a90cb77f upstream.
NR_IRQS may be as low as 16, causing a (harmless?) buffer overflow in
pcmcia_setup_isa_irq():
static u8 pcmcia_used_irq[NR_IRQS];
...
if ((try < 32) && pcmcia_used_irq[irq])
continue;
This is read-only, so if this address would be non-zero, it would just
mean we would not attempt an IRQ >= NR_IRQS -- which would fail anyway!
And as request_irq() fails for an irq >= NR_IRQS, the setting code path:
pcmcia_used_irq[irq]++;
is never reached as well.
Reported-by: Christoph Fritz <chf.fritz@googlemail.com>
Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
Signed-off-by: Christoph Fritz <chf.fritz@googlemail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/pcmcia/pcmcia_resource.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/pcmcia/pcmcia_resource.c
+++ b/drivers/pcmcia/pcmcia_resource.c
@@ -39,7 +39,7 @@ module_param(io_speed, int, 0444);
#ifdef CONFIG_PCMCIA_PROBE
#include <asm/irq.h>
/* mask of IRQs already reserved by other cards, we should avoid using them */
-static u8 pcmcia_used_irq[NR_IRQS];
+static u8 pcmcia_used_irq[32];
#endif
@@ -719,6 +719,9 @@ int pcmcia_request_irq(struct pcmcia_dev
for (try = 0; try < 64; try++) {
irq = try % 32;
+ if (irq > NR_IRQS)
+ continue;
+
/* marked as available by driver, and not blocked by userspace? */
if (!((mask >> irq) & 1))
continue;
next prev parent reply other threads:[~2010-08-24 23:43 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-08-24 22:46 [00/59] 2.6.32.21-stable review Greg KH
2010-08-24 22:24 ` [01/59] memstick: fix hangs on unexpected device removal in mspro_blk Greg KH
2010-08-24 22:24 ` [02/59] ASoC: Fix inverted mute controls for WM8580 Greg KH
2010-08-24 22:24 ` [03/59] ASoC: Remove DSP mode support for WM8776 Greg KH
2010-08-24 22:24 ` [04/59] ALSA: riptide - Fix detection / load of firmware files Greg KH
2010-08-24 22:24 ` [05/59] ALSA: emu10k1 - delay the PCM interrupts (add pcm_irq_delay parameter) Greg KH
2010-08-24 22:24 ` [06/59] ALSA: hda - Fix missing stream for second ADC on Realtek ALC260 HDA codec Greg KH
2010-08-24 22:24 ` [07/59] ocfs2: do not overwrite error codes in ocfs2_init_acl Greg KH
2010-08-24 22:24 ` [08/59] ocfs2/dlm: fix a dead lock Greg KH
2010-08-24 22:24 ` [09/59] ocfs2 fix o2dlm dlm run purgelist (rev 3) Greg KH
2010-08-24 22:24 ` [10/59] ocfs2: Count more refcount records in file system fragmentation Greg KH
2010-08-24 22:24 ` [11/59] ocfs2/dlm: avoid incorrect bit set in refmap on recovery master Greg KH
2010-08-24 22:24 ` [12/59] ocfs2/dlm: remove potential deadlock -V3 Greg KH
2010-08-24 22:24 ` [13/59] x86, hotplug: Serialize CPU hotplug to avoid bringup concurrency issues Greg KH
2010-08-24 22:24 ` [14/59] x86, apic: Fix apic=debug boot crash Greg KH
2010-08-24 22:24 ` [15/59] Fix the nested PR lock calling issue in ACL Greg KH
2010-08-24 22:24 ` [16/59] hwmon: (pc87360) Fix device resource declaration Greg KH
2010-08-24 22:24 ` [17/59] ARM: Tighten check for allowable CPSR values Greg KH
2010-08-24 22:24 ` [18/59] nfs: Add "lookupcache" to displayed mount options Greg KH
2010-08-24 22:24 ` [19/59] ath5k: disable ASPM L0s for all cards Greg KH
2010-08-24 22:24 ` [20/59] pxa3xx: fix ns2cycle equation Greg KH
2010-08-24 22:24 ` [21/59] drm/i915/edp: Flush the write before waiting for PLLs Greg KH
2010-08-24 22:24 ` [22/59] dm mpath: fix NULL pointer dereference when path parameters missing Greg KH
2010-08-24 22:24 ` [23/59] dm ioctl: release _hash_lock between devices in remove_all Greg KH
2010-08-24 22:24 ` [24/59] mm: make the vma list be doubly linked Greg KH
2010-08-24 22:24 ` [25/59] mm: make the mlock() stack guard page checks stricter Greg KH
2010-08-24 22:24 ` [26/59] mm: make stack guard page logic use vm_prev pointer Greg KH
2010-08-24 22:24 ` [27/59] drm/i915: fix hibernation since i915 self-reclaim fixes Greg KH
2010-08-24 22:24 ` [28/59] drm/i915: add reclaimable to i915 self-reclaimable page allocations Greg KH
2010-08-24 22:24 ` [29/59] slab: fix object alignment Greg KH
2010-08-24 22:24 ` [30/59] sunxvr500: Ignore secondary output PCI devices Greg KH
2010-08-24 22:24 ` [31/59] sparc64: Add missing ID to parport probing code Greg KH
2010-08-24 22:24 ` [32/59] sparc64: Fix rwsem constant bug leading to hangs Greg KH
2010-08-24 22:24 ` [33/59] sparc64: Fix atomic64_t routine return values Greg KH
2010-08-24 22:24 ` [34/59] net: Fix a memmove bug in dev_gro_receive() Greg KH
2010-08-24 22:24 ` [35/59] can: add limit for nframes and clean up signed/unsigned variables Greg KH
2010-08-24 22:24 ` [36/59] isdn: fix information leak Greg KH
2010-08-24 22:24 ` [37/59] act_nat: the checksum of ICMP doesnt have pseudo header Greg KH
2010-08-24 22:24 ` [38/59] vmscan: raise the bar to PAGEOUT_IO_SYNC stalls Greg KH
2010-08-24 22:24 ` Greg KH [this message]
2010-08-24 22:24 ` [40/59] ext4: consolidate in_range() definitions Greg KH
2010-08-24 22:24 ` [41/59] Oprofile: Change CPUIDS from decimal to hex, and add some comments Greg KH
2010-08-24 22:24 ` [42/59] oprofile: add support for Intel processor model 30 Greg KH
2010-08-24 22:24 ` [43/59] fixes for using make 3.82 Greg KH
2010-08-24 22:24 ` [44/59] ALSA: intel8x0: Mute External Amplifier by default for ThinkPad X31 Greg KH
2010-08-24 22:24 ` [45/59] netlink: fix compat recvmsg Greg KH
2010-08-24 22:24 ` [46/59] drm/radeon/kms: fix typo in radeon_compute_pll_gain Greg KH
2010-08-24 22:24 ` [47/59] drm: stop information leak of old kernel stack Greg KH
2010-08-24 22:25 ` [48/59] powerpc: Fix typo in uImage target Greg KH
2010-08-24 22:25 ` [49/59] powerpc: Initialise paca->kstack before early_setup_secondary Greg KH
2010-08-26 7:10 ` Matt Evans
2010-08-26 23:25 ` Greg KH
2010-08-24 22:25 ` [50/59] USB: option: add Celot CT-650 Greg KH
2010-08-24 22:25 ` [51/59] USB: add device IDs for igotu to navman Greg KH
2010-08-24 22:25 ` [52/59] USB: pl2303: New vendor and product id Greg KH
2010-08-24 22:25 ` [53/59] USB: CP210x Fix Break On/Off Greg KH
2010-08-24 22:25 ` [54/59] USB: ftdi_sio: fix endianess of max packet size Greg KH
2010-08-24 22:25 ` [55/59] USB: io_ti: check firmware version before updating Greg KH
2010-08-24 22:25 ` [56/59] USB: xhci: Remove buggy assignment in next_trb() Greg KH
2010-08-24 22:25 ` [57/59] USB: ftdi_sio: Add ID for Ionics PlugComputer Greg KH
2010-08-24 22:25 ` [58/59] USB: ftdi_sio: add product ID for Lenz LI-USB Greg KH
2010-08-24 22:25 ` [59/59] x86, apic: ack all pending irqs when crashed/on kexec Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100824222525.796700864@clark.site \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=chf.fritz@googlemail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@dominikbrodowski.net \
--cc=stable-review@kernel.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox