From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: stable-review@kernel.org, torvalds@linux-foundation.org,
akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
Dominik Brodowski <linux@dominikbrodowski.net>,
Christoph Fritz <chf.fritz@googlemail.com>
Subject: [63/91] pcmcia: avoid buffer overflow in pcmcia_setup_isa_irq
Date: Tue, 24 Aug 2010 15:42:25 -0700 [thread overview]
Message-ID: <20100824224217.466129174@clark.site> (raw)
In-Reply-To: <20100824224617.GA5440@kroah.com>
2.6.34-stable review patch. If anyone has any objections, please let us know.
------------------
From: Dominik Brodowski <linux@dominikbrodowski.net>
commit 127c03cdbad9bd5af5d7f33bd31a1015a90cb77f upstream.
NR_IRQS may be as low as 16, causing a (harmless?) buffer overflow in
pcmcia_setup_isa_irq():
static u8 pcmcia_used_irq[NR_IRQS];
...
if ((try < 32) && pcmcia_used_irq[irq])
continue;
This is read-only, so if this address would be non-zero, it would just
mean we would not attempt an IRQ >= NR_IRQS -- which would fail anyway!
And as request_irq() fails for an irq >= NR_IRQS, the setting code path:
pcmcia_used_irq[irq]++;
is never reached as well.
Reported-by: Christoph Fritz <chf.fritz@googlemail.com>
Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
Signed-off-by: Christoph Fritz <chf.fritz@googlemail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/pcmcia/pcmcia_resource.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/pcmcia/pcmcia_resource.c
+++ b/drivers/pcmcia/pcmcia_resource.c
@@ -41,7 +41,7 @@ module_param(io_speed, int, 0444);
#ifdef CONFIG_PCMCIA_PROBE
#include <asm/irq.h>
/* mask of IRQs already reserved by other cards, we should avoid using them */
-static u8 pcmcia_used_irq[NR_IRQS];
+static u8 pcmcia_used_irq[32];
#endif
static int pcmcia_adjust_io_region(struct resource *res, unsigned long start,
@@ -768,6 +768,9 @@ int pcmcia_request_irq(struct pcmcia_dev
for (try = 0; try < 64; try++) {
irq = try % 32;
+ if (irq > NR_IRQS)
+ continue;
+
/* marked as available by driver, and not blocked by userspace? */
if (!((mask >> irq) & 1))
continue;
next prev parent reply other threads:[~2010-08-24 23:30 UTC|newest]
Thread overview: 92+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-08-24 22:46 [00/91] 2.6.34.6-stable review Greg KH
2010-08-24 22:41 ` [01/91] memstick: init sysfs attributes Greg KH
2010-08-24 22:41 ` [02/91] memstick: fix hangs on unexpected device removal in mspro_blk Greg KH
2010-08-24 22:41 ` [03/91] ASoC: Fix inverted mute controls for WM8580 Greg KH
2010-08-24 22:41 ` [04/91] ASoC: Remove DSP mode support for WM8776 Greg KH
2010-08-24 22:41 ` [05/91] ASoC: register cache should be 1 byte aligned for 1 byte long register Greg KH
2010-08-24 22:41 ` [06/91] regulator: Default GPIO controlled WM8994 regulators to disabled Greg KH
2010-08-24 22:41 ` [07/91] ALSA: riptide - Fix detection / load of firmware files Greg KH
2010-08-24 22:41 ` [08/91] ALSA: emu10k1 - delay the PCM interrupts (add pcm_irq_delay parameter) Greg KH
2010-08-24 22:41 ` [09/91] ALSA: hda - Fix missing stream for second ADC on Realtek ALC260 HDA codec Greg KH
2010-08-24 22:41 ` [10/91] ALSA: hda - Add quirk for Dell Vostro 1220 Greg KH
2010-08-24 22:41 ` [11/91] ocfs2: do not overwrite error codes in ocfs2_init_acl Greg KH
2010-08-24 22:41 ` [12/91] ocfs2/dlm: fix a dead lock Greg KH
2010-08-24 22:41 ` [13/91] ocfs2 fix o2dlm dlm run purgelist (rev 3) Greg KH
2010-08-24 22:41 ` [14/91] ocfs2: Count more refcount records in file system fragmentation Greg KH
2010-08-24 22:41 ` [15/91] ocfs2/dlm: avoid incorrect bit set in refmap on recovery master Greg KH
2010-08-24 22:41 ` [16/91] ocfs2/dlm: remove potential deadlock -V3 Greg KH
2010-08-24 22:41 ` [17/91] wl1251: fix trigger scan timeout usage Greg KH
2010-08-24 22:41 ` [18/91] nilfs2: fix list corruption after ifile creation failure Greg KH
2010-08-24 22:41 ` [19/91] tracing: Fix an unallocated memory access in function_graph Greg KH
2010-08-24 22:41 ` [20/91] tracing: Fix ring_buffer_read_page reading out of page boundary Greg KH
2010-08-24 22:41 ` [21/91] cfg80211: fix locking in action frame TX Greg KH
2010-08-24 22:41 ` [22/91] platform/x86: move rfkill for Dell Mini 1012 to compal-laptop Greg KH
2010-08-24 22:41 ` [23/91] x86, hotplug: Serialize CPU hotplug to avoid bringup concurrency issues Greg KH
2010-08-24 22:41 ` [24/91] x86, apic: Fix apic=debug boot crash Greg KH
2010-08-24 22:41 ` [25/91] Fix the nested PR lock calling issue in ACL Greg KH
2010-08-24 22:41 ` [26/91] drm/radeon/kms: add additional quirk for Acer rv620 laptop Greg KH
2010-08-24 22:41 ` [27/91] hwmon: (pc87360) Fix device resource declaration Greg KH
2010-08-24 22:41 ` [28/91] ARM: Tighten check for allowable CPSR values Greg KH
2010-08-24 22:41 ` [29/91] ARM: Fix gen_nand probe structures contents Greg KH
2010-08-24 22:41 ` [30/91] BFIN: " Greg KH
2010-08-24 22:41 ` [31/91] nfs: Add "lookupcache" to displayed mount options Greg KH
2010-08-24 22:41 ` [32/91] ath5k: disable ASPM L0s for all cards Greg KH
2010-08-24 22:41 ` [33/91] pxa3xx: fix ns2cycle equation Greg KH
2010-08-24 22:41 ` [34/91] matroxfb: fix incorrect use of memcpy_toio() Greg KH
2010-08-24 22:41 ` [35/91] drm/i915: fixup pageflip ringbuffer commands for i8xx Greg KH
2010-08-24 22:41 ` [36/91] drm/i915: i8xx also doesnt like multiple oustanding pageflips Greg KH
2010-08-24 22:41 ` [37/91] drm/i915/edp: Flush the write before waiting for PLLs Greg KH
2010-08-24 22:42 ` [38/91] dm mpath: fix NULL pointer dereference when path parameters missing Greg KH
2010-08-24 22:42 ` [39/91] dm snapshot: iterate origin and cow devices Greg KH
2010-08-24 22:42 ` [40/91] dm snapshot: test chunk size against both origin and snapshot Greg KH
2010-08-24 22:42 ` [41/91] dm: prevent access to md being deleted Greg KH
2010-08-24 22:42 ` [42/91] dm ioctl: release _hash_lock between devices in remove_all Greg KH
2010-08-24 22:42 ` [43/91] mm: make the vma list be doubly linked Greg KH
2010-08-24 22:42 ` [44/91] mm: make the mlock() stack guard page checks stricter Greg KH
2010-08-24 22:42 ` [45/91] mm: make stack guard page logic use vm_prev pointer Greg KH
2010-08-24 22:42 ` [46/91] x86, asm: Clean up and simplify set_64bit() Greg KH
2010-08-24 22:42 ` [47/91] slab: fix object alignment Greg KH
2010-08-24 22:42 ` [48/91] sparc64: Fix atomic64_t routine return values Greg KH
2010-08-24 22:42 ` [49/91] sparc64: Add missing ID to parport probing code Greg KH
2010-08-24 22:42 ` [50/91] sparc64: Fix rwsem constant bug leading to hangs Greg KH
2010-08-24 22:42 ` [51/91] bridge: add rcu_read_lock on transmit Greg KH
2010-08-24 22:42 ` [52/91] tcp: cookie transactions setsockopt memory leak Greg KH
2010-08-24 22:42 ` [53/91] bridge: Fix skb leak when multicast parsing fails on TX Greg KH
2010-08-24 22:42 ` [54/91] act_nat: the checksum of ICMP doesnt have pseudo header Greg KH
2010-08-24 22:42 ` [55/91] can: add limit for nframes and clean up signed/unsigned variables Greg KH
2010-08-24 22:42 ` [56/91] net: dev_forward_skb should call nf_reset Greg KH
2010-08-24 22:42 ` [57/91] isdn: fix information leak Greg KH
2010-08-24 22:42 ` [58/91] net: Fix napi_gro_frags vs netpoll path Greg KH
2010-08-24 22:42 ` [59/91] net: Fix a memmove bug in dev_gro_receive() Greg KH
2010-08-24 22:42 ` [60/91] pkt_sched: Fix sch_sfq vs tcf_bind_filter oops Greg KH
2010-08-24 22:42 ` [61/91] pkt_sched: Fix sch_sfq vs tc_modify_qdisc oops Greg KH
2010-08-24 22:42 ` [62/91] vmscan: raise the bar to PAGEOUT_IO_SYNC stalls Greg KH
2010-08-24 22:42 ` Greg KH [this message]
2010-08-24 22:42 ` [64/91] isdn/gigaset: reduce syslog spam Greg KH
2010-08-24 22:42 ` [65/91] isdn: gigaset: add missing unlock Greg KH
2010-08-24 22:42 ` [66/91] Oprofile: Change CPUIDS from decimal to hex, and add some comments Greg KH
2010-08-24 22:42 ` [67/91] oprofile: add support for Intel processor model 30 Greg KH
2010-08-24 22:42 ` [68/91] e1000e: disable ASPM L1 on 82573 Greg KH
2010-08-24 22:42 ` [69/91] e1000e: dont check for alternate MAC addr on parts that dont support it Greg KH
2010-08-24 22:42 ` [70/91] fixes for using make 3.82 Greg KH
2010-08-24 22:42 ` [71/91] ALSA: intel8x0: Mute External Amplifier by default for ThinkPad X31 Greg KH
2010-08-24 22:42 ` [72/91] netlink: fix compat recvmsg Greg KH
2010-08-24 22:42 ` [73/91] drm/radeon/kms: dont enable MSIs on AGP boards Greg KH
2010-08-24 22:42 ` [74/91] drm/radeon/kms: fix typo in radeon_compute_pll_gain Greg KH
2010-08-24 22:42 ` [75/91] drm/radeon/kms/DCE3+: switch pads to ddc mode when going i2c Greg KH
2010-08-24 22:42 ` [76/91] drm/radeon/kms: fix sideport detection on newer rs880 boards Greg KH
2010-08-24 22:42 ` [77/91] drm/radeon/kms: fix GTT/VRAM overlapping test Greg KH
2010-08-24 22:42 ` [78/91] drm: stop information leak of old kernel stack Greg KH
2010-08-24 22:42 ` [79/91] powerpc: Fix typo in uImage target Greg KH
2010-08-24 22:42 ` [80/91] powerpc: Initialise paca->kstack before early_setup_secondary Greg KH
2010-08-24 22:42 ` [81/91] USB: option: add Celot CT-650 Greg KH
2010-08-24 22:42 ` [82/91] USB: add device IDs for igotu to navman Greg KH
2010-08-24 22:42 ` [83/91] USB: pl2303: New vendor and product id Greg KH
2010-08-24 22:42 ` [84/91] USB: CP210x Fix Break On/Off Greg KH
2010-08-24 22:42 ` [85/91] USB: ftdi_sio: fix endianess of max packet size Greg KH
2010-08-24 22:42 ` [86/91] USB: io_ti: check firmware version before updating Greg KH
2010-08-24 22:42 ` [87/91] USB: xhci: Remove buggy assignment in next_trb() Greg KH
2010-08-24 22:42 ` [88/91] USB: ftdi_sio: Add ID for Ionics PlugComputer Greg KH
2010-08-24 22:42 ` [89/91] USB: ftdi_sio: add product ID for Lenz LI-USB Greg KH
2010-08-24 22:42 ` [90/91] tracing: Fix timer tracing Greg KH
2010-08-24 22:42 ` [91/91] x86, apic: ack all pending irqs when crashed/on kexec Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100824224217.466129174@clark.site \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=chf.fritz@googlemail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@dominikbrodowski.net \
--cc=stable-review@kernel.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox