aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBjorn Helgaas <bjorn.helgaas@hp.com>2008-08-01 17:58:17 -0400
committerAndi Kleen <ak@linux.intel.com>2008-08-14 21:17:07 -0400
commitfa46d3526461e8aa7c0fb39cc1b98ac656695a43 (patch)
tree0094d2a1ff5782cdf6f65dcdf8c7c54e0e1bded9
parentb635acec48bcaa9183fcbf4e3955616b0d4119b5 (diff)
ACPI: bounds check IRQ to prevent memory corruption
acpi_penalize_isa_irq() should validate irq before using it to index the acpi_irq_penalty[] table. Here's the path I'm concerned about: pnpacpi_parse_allocated_irqresource() { ... irq = acpi_register_gsi(gsi, triggering, polarity); if (irq >= 0) pcibios_penalize_isa_irq(irq, 1); There's no guarantee that acpi_register_gsi() will return an IRQ within the bounds of acpi_irq_penalty[]. I have not seen a failure I can attribute to this. However, ACPI_MAX_IRQS is only 256, and I'm pretty sure ia64 can have IRQs larger than that. I think this should go in 2.6.27. Signed-off-by: Bjorn Helgaas <bjorn.helgaas@hp.com> Signed-off-by: Andi Kleen <ak@linux.intel.com>
-rw-r--r--drivers/acpi/pci_link.c12
1 files changed, 7 insertions, 5 deletions
diff --git a/drivers/acpi/pci_link.c b/drivers/acpi/pci_link.c
index 89f3b2abfdc7..cf47805a7448 100644
--- a/drivers/acpi/pci_link.c
+++ b/drivers/acpi/pci_link.c
@@ -849,7 +849,7 @@ static int __init acpi_irq_penalty_update(char *str, int used)
849 if (irq < 0) 849 if (irq < 0)
850 continue; 850 continue;
851 851
852 if (irq >= ACPI_MAX_IRQS) 852 if (irq >= ARRAY_SIZE(acpi_irq_penalty))
853 continue; 853 continue;
854 854
855 if (used) 855 if (used)
@@ -872,10 +872,12 @@ static int __init acpi_irq_penalty_update(char *str, int used)
872 */ 872 */
873void acpi_penalize_isa_irq(int irq, int active) 873void acpi_penalize_isa_irq(int irq, int active)
874{ 874{
875 if (active) 875 if (irq >= 0 && irq < ARRAY_SIZE(acpi_irq_penalty)) {
876 acpi_irq_penalty[irq] += PIRQ_PENALTY_ISA_USED; 876 if (active)
877 else 877 acpi_irq_penalty[irq] += PIRQ_PENALTY_ISA_USED;
878 acpi_irq_penalty[irq] += PIRQ_PENALTY_PCI_USING; 878 else
879 acpi_irq_penalty[irq] += PIRQ_PENALTY_PCI_USING;
880 }
879} 881}
880 882
881/* 883/*