Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id ; Fri, 9 Aug 2002 08:43:55 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id ; Fri, 9 Aug 2002 08:43:55 -0400 Received: from smtp013.mail.yahoo.com ([216.136.173.57]:6661 "HELO smtp013.mail.yahoo.com") by vger.kernel.org with SMTP id ; Fri, 9 Aug 2002 08:43:54 -0400 Subject: [PATCH] Fix error in pnpbios escd read routine From: Thomas Hood To: linux-kernel@vger.kernel.org Cc: Chris Rankin , Zwane Mwaikambo , Alan Cox , Dave Jones Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Ximian Evolution 1.0.7 Date: 09 Aug 2002 10:47:16 -0300 Message-Id: <1028900843.919.14.camel@thanatos> Mime-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2358 Lines: 78 Alan, Dave: This patch fixes an error in the pnpbios driver's routine for reading ESCD data. (Note the 'buf' changed to 'tmpbuf'.) Also, it adds another sanity check. This bug probably caused the crashes reported by Chris Rankin and Zwane Mwaikambo some weeks ago. -- Thomas Hood --- linux-2.4.19-ac4/drivers/pnp/pnpbios_proc.c_ORIG Wed Aug 7 23:31:08 2002 +++ linux-2.4.19-ac4/drivers/pnp/pnpbios_proc.c Fri Aug 9 10:38:29 2002 @@ -62,39 +62,47 @@ "ESCD_size %d\n" "NVRAM_base 0x%x\n", escd.min_escd_write_size, escd.escd_size, escd.nv_storage_base ); } +#define MAX_SANE_ESCD_SIZE (32*1024) static int proc_read_escd(char *buf, char **start, off_t pos, int count, int *eof, void *data) { struct escd_info_struc escd; char *tmpbuf; int escd_size, escd_left_to_read, n; if (pnp_bios_escd_info(&escd)) return -EIO; /* sanity check */ - if (escd.escd_size > (32*1024)) { - printk(KERN_ERR "PnPBIOS: proc_read_escd: ESCD size is too great\n"); + if (escd.escd_size > MAX_SANE_ESCD_SIZE) { + printk(KERN_ERR "PnPBIOS: proc_read_escd: ESCD size reported by BIOS escd_info call is too great\n"); return -EFBIG; } tmpbuf = pnpbios_kmalloc(escd.escd_size, GFP_KERNEL); if (!tmpbuf) return -ENOMEM; if (pnp_bios_read_escd(tmpbuf, escd.nv_storage_base)) return -EIO; - escd_size = (unsigned char)(buf[0]) + (unsigned char)(buf[1])*256; + escd_size = (unsigned char)(tmpbuf[0]) + (unsigned char)(tmpbuf[1])*256; + + /* sanity check */ + if (escd_size > MAX_SANE_ESCD_SIZE) { + printk(KERN_ERR "PnPBIOS: proc_read_escd: ESCD size reported by BIOS read_escd call is too great\n"); + return -EFBIG; + } + escd_left_to_read = escd_size - pos; if (escd_left_to_read < 0) escd_left_to_read = 0; if (escd_left_to_read == 0) *eof = 1; n = min(count,escd_left_to_read); memcpy(buf, tmpbuf + pos, n); kfree(tmpbuf); *start = buf; return n; __________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/