PCI: Check dynids driver_data value for validity

Only accept dynids whose driver_data value matches one of the driver's pci_driver_id entries. This prevents the user from accidentally passing values the drivers do not expect. Cc: Milton Miller <miltonm@bga.com> Acked-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Jean Delvare <khali@linux-fr.org> Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
author: Jean Delvare <khali@linux-fr.org> 2008-08-17 15:06:59 -0400
committer: Jesse Barnes <jbarnes@virtuousgeek.org> 2008-10-20 13:48:35 -0400
commit: b41d6cf38e27a940d998d989526a9748de1bf028 (patch)
tree: a2ae90005e000d4f9d16637171ff11dd31a4917a /drivers
parent: edbc25caaa492a82e19baa915f1f6b0a0db6554d (diff)
3 files changed, 16 insertions, 10 deletions
diff --git a/drivers/i2c/busses/i2c-amd756.c b/drivers/i2c/busses/i2c-amd756.c
index a3542b053c8e..424dad6f18d8 100644
--- a/drivers/i2c/busses/i2c-amd756.c
+++ b/drivers/i2c/busses/i2c-amd756.c
@@ -332,10 +332,6 @@ static int __devinit amd756_probe(struct pci_dev *pdev,
        int error;
        u8 temp;
        
-        /* driver_data might come from user-space, so check it */
-        if (id->driver_data >= ARRAY_SIZE(chipname))
-                return -EINVAL;
        if (amd756_ioport) {
                dev_err(&pdev->dev, "Only one device supported "
                       "(you have a strange motherboard, btw)\n");
diff --git a/drivers/i2c/busses/i2c-viapro.c b/drivers/i2c/busses/i2c-viapro.c
index 2324780484c0..9f194d9efd91 100644
--- a/drivers/i2c/busses/i2c-viapro.c
+++ b/drivers/i2c/busses/i2c-viapro.c
@@ -332,10 +332,6 @@ static int __devinit vt596_probe(struct pci_dev *pdev,
        unsigned char temp;
        int error = -ENODEV;
-        /* driver_data might come from user-space, so check it */
-        if (id->driver_data & 1 || id->driver_data > 0xff)
-                return -EINVAL;
        /* Determine the address of the SMBus areas */
        if (force_addr) {
                vt596_smba = force_addr & 0xfff0;
diff --git a/drivers/pci/pci-driver.c b/drivers/pci/pci-driver.c
index 4940a53c56a3..b4cdd690ae71 100644
--- a/drivers/pci/pci-driver.c
+++ b/drivers/pci/pci-driver.c
@@ -43,18 +43,32 @@ store_new_id(struct device_driver *driver, const char *buf, size_t count)
 {
        struct pci_dynid *dynid;
        struct pci_driver *pdrv = to_pci_driver(driver);
+        const struct pci_device_id *ids = pdrv->id_table;
        __u32 vendor, device, subvendor=PCI_ANY_ID,
                subdevice=PCI_ANY_ID, class=0, class_mask=0;
        unsigned long driver_data=0;
        int fields=0;
-        int retval = 0;
+        int retval;
-        fields = sscanf(buf, "%x %x %x %x %x %x %lux",
+        fields = sscanf(buf, "%x %x %x %x %x %x %lx",
                        &vendor, &device, &subvendor, &subdevice,
                        &class, &class_mask, &driver_data);
        if (fields < 2)
                return -EINVAL;
+        /* Only accept driver_data values that match an existing id_table
+           entry */
+        retval = -EINVAL;
+        while (ids->vendor || ids->subvendor || ids->class_mask) {
+                if (driver_data == ids->driver_data) {
+                        retval = 0;
+                        break;
+                }
+                ids++;
+        }
+        if (retval)     /* No match */
+                return retval;
        dynid = kzalloc(sizeof(*dynid), GFP_KERNEL);
        if (!dynid)
                return -ENOMEM;
author	Jean Delvare <khali@linux-fr.org>	2008-08-17 15:06:59 -0400
committer	Jesse Barnes <jbarnes@virtuousgeek.org>	2008-10-20 13:48:35 -0400
commit	b41d6cf38e27a940d998d989526a9748de1bf028 (patch)
tree	a2ae90005e000d4f9d16637171ff11dd31a4917a /drivers
parent	edbc25caaa492a82e19baa915f1f6b0a0db6554d (diff)