Commit 355e62f5 authored by Grant Likely's avatar Grant Likely

of/irq: Fix potential buffer overflow

Commit 23616132, "of/irq: Refactor interrupt-map parsing" introduced
a potential buffer overflow bug because it doesn't do sufficient range
checking on the input data. This patch adds the appropriate checking and
buffer size adjustments. If the bounds are out of range then warn
loudly. MAX_PHANDLE_ARGS should be sufficient. If it is not then the
value can be increased.
Signed-off-by: default avatarGrant Likely <grant.likely@linaro.org>
Cc: Rob Herring <rob.herring@calxeda.com>
parent 78119fd1
...@@ -95,9 +95,9 @@ struct device_node *of_irq_find_parent(struct device_node *child) ...@@ -95,9 +95,9 @@ struct device_node *of_irq_find_parent(struct device_node *child)
int of_irq_parse_raw(const __be32 *addr, struct of_phandle_args *out_irq) int of_irq_parse_raw(const __be32 *addr, struct of_phandle_args *out_irq)
{ {
struct device_node *ipar, *tnode, *old = NULL, *newpar = NULL; struct device_node *ipar, *tnode, *old = NULL, *newpar = NULL;
__be32 initial_match_array[8]; __be32 initial_match_array[MAX_PHANDLE_ARGS];
const __be32 *match_array = initial_match_array; const __be32 *match_array = initial_match_array;
const __be32 *tmp, *imap, *imask, dummy_imask[] = { ~0, ~0, ~0, ~0, ~0 }; const __be32 *tmp, *imap, *imask, dummy_imask[] = { [0 ... MAX_PHANDLE_ARGS] = ~0 };
u32 intsize = 1, addrsize, newintsize = 0, newaddrsize = 0; u32 intsize = 1, addrsize, newintsize = 0, newaddrsize = 0;
int imaplen, match, i; int imaplen, match, i;
...@@ -147,6 +147,10 @@ int of_irq_parse_raw(const __be32 *addr, struct of_phandle_args *out_irq) ...@@ -147,6 +147,10 @@ int of_irq_parse_raw(const __be32 *addr, struct of_phandle_args *out_irq)
pr_debug(" -> addrsize=%d\n", addrsize); pr_debug(" -> addrsize=%d\n", addrsize);
/* Range check so that the temporary buffer doesn't overflow */
if (WARN_ON(addrsize + intsize > MAX_PHANDLE_ARGS))
goto fail;
/* Precalculate the match array - this simplifies match loop */ /* Precalculate the match array - this simplifies match loop */
for (i = 0; i < addrsize; i++) for (i = 0; i < addrsize; i++)
initial_match_array[i] = addr ? addr[i] : 0; initial_match_array[i] = addr ? addr[i] : 0;
...@@ -229,6 +233,8 @@ int of_irq_parse_raw(const __be32 *addr, struct of_phandle_args *out_irq) ...@@ -229,6 +233,8 @@ int of_irq_parse_raw(const __be32 *addr, struct of_phandle_args *out_irq)
newintsize, newaddrsize); newintsize, newaddrsize);
/* Check for malformed properties */ /* Check for malformed properties */
if (WARN_ON(newaddrsize + newintsize > MAX_PHANDLE_ARGS))
goto fail;
if (imaplen < (newaddrsize + newintsize)) if (imaplen < (newaddrsize + newintsize))
goto fail; goto fail;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment