Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp3730132imm; Mon, 6 Aug 2018 09:35:41 -0700 (PDT) X-Google-Smtp-Source: AAOMgpdi09jxFDg5STIy72vy0jXHGj5PSg4SDsbNCNoaNaP/zzrL4vspjxgjVI2pWaS/F96D1KTZ X-Received: by 2002:a62:4255:: with SMTP id p82-v6mr18137647pfa.238.1533573341725; Mon, 06 Aug 2018 09:35:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1533573341; cv=none; d=google.com; s=arc-20160816; b=S/RoP72QI323zAlDjIBtIrLSpTE+GWXK8wMuKboCZDb6txT6wLNqUQFE4YXWwWVlpL Ndb/HuSM+/D5xDdlcE5EttRX5Bm43edp3LYTI2AfB913bk/9JBHsZqAyWCzRgE9H831K Sbx0zi4ZguHOGxIBgXLAi5wvFSaT+cjWYK4H/7uOj8Zb6xEdDP9TAJ575bc6xJXE2t2E P3WloGkEd5WE5OIefbbMJgYKur6EbCTYYf4C2l+QDOvyqxOeQS+FwmybitKNRVe2rLRV uN5B0fG4ST2p7Ha9hTHIzkrqTYSrull0Vuv+pI9oLOzqe1x62aDGx51uiqn7/Hv6RDgE LEww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=x1dfXPFJUFfkNOzxj8Esboq8TMeoVNdfclU9qmZkzlw=; b=c0ZBFRBIPPQ5ogx541g0fkqWGoVOW1ieRrJPGqQvfgVRMuXDEr1xZ3JmHjkxn0207e sVhboZK0eqZSxS1hIxhgahMNHfyDKCqDs/tHdLTmVYjn8cc7vJjdud8WAs2V1D8k03VP V/VTTMI0AQ44Q26Vy0eOuS/xUrlWycQ1tB3rxSaz7b37wYF0bAMKveMn7L7shx058qca sfUqNy+uxaJSQTWGQwMX+PmcwgThktfEZeGFwyTbHdE8MBJfpcd3AxwnydE9HMSHEZvP yqCBxo04ENOQN+uqk8oklBYWisfeFhnmAlZQDv5ke0OBKbLMrczZbKf0ePhAhd8/riFp y+OA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t16-v6si13313092pga.442.2018.08.06.09.35.26; Mon, 06 Aug 2018 09:35:41 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731043AbeHFQVW (ORCPT + 99 others); Mon, 6 Aug 2018 12:21:22 -0400 Received: from bran.ispras.ru ([83.149.199.196]:20271 "EHLO smtp.ispras.ru" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727940AbeHFQVW (ORCPT ); Mon, 6 Aug 2018 12:21:22 -0400 Received: from myklebust.intra.ispras.ru (unknown [10.10.2.207]) by smtp.ispras.ru (Postfix) with ESMTP id 4F94F203C7; Mon, 6 Aug 2018 17:12:00 +0300 (MSK) From: Anton Vasilyev To: Alan Cox Cc: Anton Vasilyev , Greg Kroah-Hartman , Jiri Slaby , linux-kernel@vger.kernel.org, ldv-project@linuxtesting.org Subject: [PATCH v2] tty: rocket: Fix possible buffer overwrite on register_PCI Date: Mon, 6 Aug 2018 17:10:57 +0300 Message-Id: <20180806141057.7105-1-vasilyev@ispras.ru> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20180802150201.316e3361@alans-desktop> References: Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org If number of isa and pci boards exceed NUM_BOARDS on the path rp_init()->init_PCI()->register_PCI() then buffer overwrite occurs in register_PCI() on assign rcktpt_io_addr[i]. The patch adds check on upper bound for index of registered board in register_PCI. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Anton Vasilyev --- v2: do not enable device which will not be managed by driver. Based on Alan's comment. NOTE: I can't find if there is a call of pci_disable_device(), corresponding to pci_enable_device() from register_PCI(). --- drivers/tty/rocket.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/tty/rocket.c b/drivers/tty/rocket.c index bdd17d2aaafd..f2238dc40426 100644 --- a/drivers/tty/rocket.c +++ b/drivers/tty/rocket.c @@ -1881,7 +1881,7 @@ static __init int register_PCI(int i, struct pci_dev *dev) ByteIO_t UPCIRingInd = 0; if (!dev || !pci_match_id(rocket_pci_ids, dev) || - pci_enable_device(dev)) + i >= NUM_BOARDS || pci_enable_device(dev)) return 0; rcktpt_io_addr[i] = pci_resource_start(dev, 0); -- 2.18.0