From: Randy Dunlap Date: Tue, 11 Apr 2006 05:53:13 +0000 (-0700) Subject: [PATCH] mpparse: prevent table index out-of-bounds X-Git-Tag: v2.6.17-rc2~253 X-Git-Url: http://pilppa.com/gitweb/?a=commitdiff_plain;h=c0ec31ad334fb83e53f2130eacbb44a639f77967;p=linux-2.6-omap-h63xx.git [PATCH] mpparse: prevent table index out-of-bounds John Z. Bohach found this bug: If the board has more than 32 PCI busses on it, the mptable bus array will overwrite its bounds for the PCI busses, and stomp on anything that's after it. Prevent possible table overflow and unknown data corruption. Code is in an __init section so it will be discarded after init. Signed-off-by: Randy Dunlap Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- diff --git a/arch/i386/kernel/mpparse.c b/arch/i386/kernel/mpparse.c index 4f95c9cf795..34d21e21e01 100644 --- a/arch/i386/kernel/mpparse.c +++ b/arch/i386/kernel/mpparse.c @@ -229,6 +229,13 @@ static void __init MP_bus_info (struct mpc_config_bus *m) mpc_oem_bus_info(m, str, translation_table[mpc_record]); + if (m->mpc_busid >= MAX_MP_BUSSES) { + printk(KERN_WARNING "MP table busid value (%d) for bustype %s " + " is too large, max. supported is %d\n", + m->mpc_busid, str, MAX_MP_BUSSES - 1); + return; + } + if (strncmp(str, BUSTYPE_ISA, sizeof(BUSTYPE_ISA)-1) == 0) { mp_bus_id_to_type[m->mpc_busid] = MP_BUS_ISA; } else if (strncmp(str, BUSTYPE_EISA, sizeof(BUSTYPE_EISA)-1) == 0) {