Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Date:   Thu, 2 Aug 2018 15:02:01 +0100
From:   Alan Cox <gnomes@lxorguk.ukuu.org.uk>
To:     Anton Vasilyev <vasilyev@ispras.ru>
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Jiri Slaby <jslaby@suse.com>, linux-kernel@vger.kernel.org,
        ldv-project@linuxtesting.org
Subject: Re: [PATCH] tty: rocket: Fix possible buffer overwrite on
 register_PCI
Message-ID: <20180802150201.316e3361@alans-desktop>
In-Reply-To: <20180727133931.12701-1-vasilyev@ispras.ru>
References: <20180727133931.12701-1-vasilyev@ispras.ru>
Organization: Intel Corporation
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk

On Fri, 27 Jul 2018 16:39:31 +0300
Anton Vasilyev <vasilyev@ispras.ru> wrote:

> If number of isa and pci boards exceed NUM_BOARDS on the path
> rp_init()->init_PCI()->register_PCI() then buffer overwrite occurs
> in register_PCI() on assign rcktpt_io_addr[i].
> 
> The patch adds check on upper bound for index of registered
> board in register_PCI.
> 
> Found by Linux Driver Verification project (linuxtesting.org).
> 
> Signed-off-by: Anton Vasilyev <vasilyev@ispras.ru>
> ---
>  drivers/tty/rocket.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/tty/rocket.c b/drivers/tty/rocket.c
> index bdd17d2aaafd..b121d8f8f3d7 100644
> --- a/drivers/tty/rocket.c
> +++ b/drivers/tty/rocket.c
> @@ -1881,7 +1881,7 @@ static __init int register_PCI(int i, struct pci_dev *dev)
>  	ByteIO_t UPCIRingInd = 0;
>  
>  	if (!dev || !pci_match_id(rocket_pci_ids, dev) ||
> -	    pci_enable_device(dev))
> +	    pci_enable_device(dev) || i >= NUM_BOARDS)
>  		return 0;
>  
>  	rcktpt_io_addr[i] = pci_resource_start(dev, 0);

This is a real fix but you want to check i >= NUM_BOARDS before you
enable the device

Alan