pcmcia: avoid buffer overflow in pcmcia_setup_isa_irq

commit 127c03cd upstream. NR_IRQS may be as low as 16, causing a (harmless?) buffer overflow in pcmcia_setup_isa_irq(): static u8 pcmcia_used_irq[NR_IRQS]; ... if ((try < 32) && pcmcia_used_irq[irq]) continue; This is read-only, so if this address would be non-zero, it would just mean we would not attempt an IRQ >= NR_IRQS -- which would fail anyway! And as request_irq() fails for an irq >= NR_IRQS, the setting code path: pcmcia_used_irq[irq]++; is never reached as well. Reported-by: Christoph Fritz <chf.fritz@googlemail.com> Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net> Signed-off-by: Christoph Fritz <chf.fritz@googlemail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

pcmcia: avoid buffer overflow in pcmcia_setup_isa_irq
commit 127c03cd upstream. NR_IRQS may be as low as 16, causing a (harmless?) buffer overflow in pcmcia_setup_isa_irq(): static u8 pcmcia_used_irq[NR_IRQS]; ... if ((try < 32) && pcmcia_used_irq[irq]) continue; This is read-only, so if this address would be non-zero, it would just mean we would not attempt an IRQ >= NR_IRQS -- which would fail anyway! And as request_irq() fails for an irq >= NR_IRQS, the setting code path: pcmcia_used_irq[irq]++; is never reached as well. Reported-by: Christoph Fritz <chf.fritz@googlemail.com> Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net> Signed-off-by: Christoph Fritz <chf.fritz@googlemail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
203824be · Dominik Brodowski · Greg Kroah-Hartman · 4fbb306c · 203824be
Commit 203824be authored Aug 03, 2010 by Dominik Brodowski Committed by Greg Kroah-Hartman Aug 13, 2010
Show whitespace changes
Inline Side-by-side

Showing with 4 additions and 1 deletion

drivers/pcmcia/pcmcia_resource.c drivers/pcmcia/pcmcia_resource.c +4 -1

No files found.
--- a/drivers/pcmcia/pcmcia_resource.c
+++ b/drivers/pcmcia/pcmcia_resource.c
@@ -651,7 +651,7 @@ EXPORT_SYMBOL(__pcmcia_request_exclusive_irq);
 #ifdef CONFIG_PCMCIA_PROBE
 /* mask of IRQs already reserved by other cards, we should avoid using them */
-static u8 pcmcia_used_irq[NR_IRQS];
+static u8 pcmcia_used_irq[32];
 static irqreturn_t test_action(int cpl, void *dev_id)
 {
@@ -674,6 +674,9 @@ static int pcmcia_setup_isa_irq(struct pcmcia_device *p_dev, int type)
 	for (try = 0; try < 64; try++) {
 		irq = try % 32;
+		if (irq > NR_IRQS)
+			continue;
 		/* marked as available by driver, not blocked by userspace? */
 		if (!((mask >> irq) & 1))
 			continue;