From c0ec31ad334fb83e53f2130eacbb44a639f77967 Mon Sep 17 00:00:00 2001 From: Randy Dunlap Date: Mon, 10 Apr 2006 22:53:13 -0700 Subject: [PATCH] mpparse: prevent table index out-of-bounds John Z. Bohach found this bug: If the board has more than 32 PCI busses on it, the mptable bus array will overwrite its bounds for the PCI busses, and stomp on anything that's after it. Prevent possible table overflow and unknown data corruption. Code is in an __init section so it will be discarded after init. Signed-off-by: Randy Dunlap Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- arch/i386/kernel/mpparse.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/arch/i386/kernel/mpparse.c b/arch/i386/kernel/mpparse.c index 4f95c9cf7957..34d21e21e012 100644 --- a/arch/i386/kernel/mpparse.c +++ b/arch/i386/kernel/mpparse.c @@ -229,6 +229,13 @@ static void __init MP_bus_info (struct mpc_config_bus *m) mpc_oem_bus_info(m, str, translation_table[mpc_record]); + if (m->mpc_busid >= MAX_MP_BUSSES) { + printk(KERN_WARNING "MP table busid value (%d) for bustype %s " + " is too large, max. supported is %d\n", + m->mpc_busid, str, MAX_MP_BUSSES - 1); + return; + } + if (strncmp(str, BUSTYPE_ISA, sizeof(BUSTYPE_ISA)-1) == 0) { mp_bus_id_to_type[m->mpc_busid] = MP_BUS_ISA; } else if (strncmp(str, BUSTYPE_EISA, sizeof(BUSTYPE_EISA)-1) == 0) { -- cgit v1.2.1