From: Bjorn Helgaas Date: Fri, 1 Aug 2008 21:58:17 +0000 (-0600) Subject: ACPI: bounds check IRQ to prevent memory corruption X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=fa46d3526461e8aa7c0fb39cc1b98ac656695a43;p=GitHub%2Fmt8127%2Fandroid_kernel_alcatel_ttab.git ACPI: bounds check IRQ to prevent memory corruption acpi_penalize_isa_irq() should validate irq before using it to index the acpi_irq_penalty[] table. Here's the path I'm concerned about: pnpacpi_parse_allocated_irqresource() { ... irq = acpi_register_gsi(gsi, triggering, polarity); if (irq >= 0) pcibios_penalize_isa_irq(irq, 1); There's no guarantee that acpi_register_gsi() will return an IRQ within the bounds of acpi_irq_penalty[]. I have not seen a failure I can attribute to this. However, ACPI_MAX_IRQS is only 256, and I'm pretty sure ia64 can have IRQs larger than that. I think this should go in 2.6.27. Signed-off-by: Bjorn Helgaas Signed-off-by: Andi Kleen --- diff --git a/drivers/acpi/pci_link.c b/drivers/acpi/pci_link.c index 89f3b2abfdc7..cf47805a7448 100644 --- a/drivers/acpi/pci_link.c +++ b/drivers/acpi/pci_link.c @@ -849,7 +849,7 @@ static int __init acpi_irq_penalty_update(char *str, int used) if (irq < 0) continue; - if (irq >= ACPI_MAX_IRQS) + if (irq >= ARRAY_SIZE(acpi_irq_penalty)) continue; if (used) @@ -872,10 +872,12 @@ static int __init acpi_irq_penalty_update(char *str, int used) */ void acpi_penalize_isa_irq(int irq, int active) { - if (active) - acpi_irq_penalty[irq] += PIRQ_PENALTY_ISA_USED; - else - acpi_irq_penalty[irq] += PIRQ_PENALTY_PCI_USING; + if (irq >= 0 && irq < ARRAY_SIZE(acpi_irq_penalty)) { + if (active) + acpi_irq_penalty[irq] += PIRQ_PENALTY_ISA_USED; + else + acpi_irq_penalty[irq] += PIRQ_PENALTY_PCI_USING; + } } /*