Commit 669e7461 authored by Andrew Morton's avatar Andrew Morton Committed by Linus Torvalds

[PATCH] early_serial_setup array bounds check

From: Bjorn Helgaas <bjorn.helgaas@hp.com>

early_serial_setup() doesn't validate the array index, so a caller could
corrupt memory after serial8250_ports[] by supplying a value of port->line
that's too large.

I haven't seen a failure related to this, but it seems fragile to rely on
callers to know how many ports the driver supports.
parent 19067de8
...@@ -2086,6 +2086,9 @@ int register_serial(struct serial_struct *req) ...@@ -2086,6 +2086,9 @@ int register_serial(struct serial_struct *req)
int __init early_serial_setup(struct uart_port *port) int __init early_serial_setup(struct uart_port *port)
{ {
if (port->line >= ARRAY_SIZE(serial8250_ports))
return -ENODEV;
serial8250_isa_init_ports(); serial8250_isa_init_ports();
serial8250_ports[port->line].port = *port; serial8250_ports[port->line].port = *port;
serial8250_ports[port->line].port.ops = &serial8250_pops; serial8250_ports[port->line].port.ops = &serial8250_pops;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment