Commit fa46d352 authored by Bjorn Helgaas's avatar Bjorn Helgaas Committed by Andi Kleen

ACPI: bounds check IRQ to prevent memory corruption

acpi_penalize_isa_irq() should validate irq before using it to
index the acpi_irq_penalty[] table.

Here's the path I'm concerned about:

    pnpacpi_parse_allocated_irqresource()
    {
	...
	irq = acpi_register_gsi(gsi, triggering, polarity);
	if (irq >= 0)
		pcibios_penalize_isa_irq(irq, 1);

There's no guarantee that acpi_register_gsi() will return an IRQ
within the bounds of acpi_irq_penalty[].

I have not seen a failure I can attribute to this.  However,
ACPI_MAX_IRQS is only 256, and I'm pretty sure ia64 can have
IRQs larger than that.

I think this should go in 2.6.27.
Signed-off-by: default avatarBjorn Helgaas <bjorn.helgaas@hp.com>
Signed-off-by: default avatarAndi Kleen <ak@linux.intel.com>
parent b635acec
...@@ -849,7 +849,7 @@ static int __init acpi_irq_penalty_update(char *str, int used) ...@@ -849,7 +849,7 @@ static int __init acpi_irq_penalty_update(char *str, int used)
if (irq < 0) if (irq < 0)
continue; continue;
if (irq >= ACPI_MAX_IRQS) if (irq >= ARRAY_SIZE(acpi_irq_penalty))
continue; continue;
if (used) if (used)
...@@ -872,10 +872,12 @@ static int __init acpi_irq_penalty_update(char *str, int used) ...@@ -872,10 +872,12 @@ static int __init acpi_irq_penalty_update(char *str, int used)
*/ */
void acpi_penalize_isa_irq(int irq, int active) void acpi_penalize_isa_irq(int irq, int active)
{ {
if (irq >= 0 && irq < ARRAY_SIZE(acpi_irq_penalty)) {
if (active) if (active)
acpi_irq_penalty[irq] += PIRQ_PENALTY_ISA_USED; acpi_irq_penalty[irq] += PIRQ_PENALTY_ISA_USED;
else else
acpi_irq_penalty[irq] += PIRQ_PENALTY_PCI_USING; acpi_irq_penalty[irq] += PIRQ_PENALTY_PCI_USING;
}
} }
/* /*
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment