ACPI: bounds check IRQ to prevent memory corruption
authorBjorn Helgaas <bjorn.helgaas@hp.com>
Fri, 1 Aug 2008 21:58:17 +0000 (15:58 -0600)
committerAndi Kleen <ak@linux.intel.com>
Fri, 15 Aug 2008 01:17:07 +0000 (03:17 +0200)
acpi_penalize_isa_irq() should validate irq before using it to
index the acpi_irq_penalty[] table.

Here's the path I'm concerned about:

    pnpacpi_parse_allocated_irqresource()
    {
...
irq = acpi_register_gsi(gsi, triggering, polarity);
if (irq >= 0)
pcibios_penalize_isa_irq(irq, 1);

There's no guarantee that acpi_register_gsi() will return an IRQ
within the bounds of acpi_irq_penalty[].

I have not seen a failure I can attribute to this.  However,
ACPI_MAX_IRQS is only 256, and I'm pretty sure ia64 can have
IRQs larger than that.

I think this should go in 2.6.27.

Signed-off-by: Bjorn Helgaas <bjorn.helgaas@hp.com>
Signed-off-by: Andi Kleen <ak@linux.intel.com>
drivers/acpi/pci_link.c

index 89f3b2abfdc7b9f15f65513cdb1d852712735c8f..cf47805a7448ccc9ddfbec7009cc975be371c760 100644 (file)
@@ -849,7 +849,7 @@ static int __init acpi_irq_penalty_update(char *str, int used)
                if (irq < 0)
                        continue;
 
-               if (irq >= ACPI_MAX_IRQS)
+               if (irq >= ARRAY_SIZE(acpi_irq_penalty))
                        continue;
 
                if (used)
@@ -872,10 +872,12 @@ static int __init acpi_irq_penalty_update(char *str, int used)
  */
 void acpi_penalize_isa_irq(int irq, int active)
 {
-       if (active)
-               acpi_irq_penalty[irq] += PIRQ_PENALTY_ISA_USED;
-       else
-               acpi_irq_penalty[irq] += PIRQ_PENALTY_PCI_USING;
+       if (irq >= 0 && irq < ARRAY_SIZE(acpi_irq_penalty)) {
+               if (active)
+                       acpi_irq_penalty[irq] += PIRQ_PENALTY_ISA_USED;
+               else
+                       acpi_irq_penalty[irq] += PIRQ_PENALTY_PCI_USING;
+       }
 }
 
 /*