Home » Mailing list archives » git-commits-head » 2008 » August » 15

ACPI: bounds check IRQ to prevent memory corruption

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
[view in full thread]
From: Linux Kernel Mailing List
Subject: ACPI: bounds check IRQ to prevent memory corruption
Date: Friday, August 15, 2008 - 10:00 am

Gitweb:     http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=fa46d3...
Commit:     fa46d3526461e8aa7c0fb39cc1b98ac656695a43
Parent:     b635acec48bcaa9183fcbf4e3955616b0d4119b5
Author:     Bjorn Helgaas <bjorn.helgaas@hp.com>
AuthorDate: Fri Aug 1 15:58:17 2008 -0600
Committer:  Andi Kleen <ak@linux.intel.com>
CommitDate: Fri Aug 15 03:17:07 2008 +0200

    ACPI: bounds check IRQ to prevent memory corruption
    
    acpi_penalize_isa_irq() should validate irq before using it to
    index the acpi_irq_penalty[] table.
    
    Here's the path I'm concerned about:
    
        pnpacpi_parse_allocated_irqresource()
        {
    	...
    	irq = acpi_register_gsi(gsi, triggering, polarity);
    	if (irq >= 0)
    		pcibios_penalize_isa_irq(irq, 1);
    
    There's no guarantee that acpi_register_gsi() will return an IRQ
    within the bounds of acpi_irq_penalty[].
    
    I have not seen a failure I can attribute to this.  However,
    ACPI_MAX_IRQS is only 256, and I'm pretty sure ia64 can have
    IRQs larger than that.
    
    I think this should go in 2.6.27.
    
    Signed-off-by: Bjorn Helgaas <bjorn.helgaas@hp.com>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
---
 drivers/acpi/pci_link.c |   12 +++++++-----
 1 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/drivers/acpi/pci_link.c b/drivers/acpi/pci_link.c
index 89f3b2a..cf47805 100644
--- a/drivers/acpi/pci_link.c
+++ b/drivers/acpi/pci_link.c
@@ -849,7 +849,7 @@ static int __init acpi_irq_penalty_update(char *str, int used)
 		if (irq < 0)
 			continue;
 
-		if (irq >= ACPI_MAX_IRQS)
+		if (irq >= ARRAY_SIZE(acpi_irq_penalty))
 			continue;
 
 		if (used)
@@ -872,10 +872,12 @@ static int __init acpi_irq_penalty_update(char *str, int used)
  */
 void acpi_penalize_isa_irq(int irq, int active)
 {
-	if (active)
-		acpi_irq_penalty[irq] += PIRQ_PENALTY_ISA_USED;
-	else
-		acpi_irq_penalty[irq] += PIRQ_PENALTY_PCI_USING;
+	if (irq >= 0 && irq < ARRAY_SIZE(acpi_irq_penalty)) {
+		if (active)
+			acpi_irq_penalty[irq] += PIRQ_PENALTY_ISA_USED;
+		else
+			acpi_irq_penalty[irq] += PIRQ_PENALTY_PCI_USING;
+	}
 }
 
 /*
--
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
Messages in current thread:
ACPI: bounds check IRQ to prevent memory corruption, Linux Kernel Mailing ..., (Fri Aug 15, 10:00 am)