From 127c03cdbad9bd5af5d7f33bd31a1015a90cb77f Mon Sep 17 00:00:00 2001 From: Dominik Brodowski Date: Tue, 3 Aug 2010 09:33:45 +0200 Subject: [PATCH] pcmcia: avoid buffer overflow in pcmcia_setup_isa_irq NR_IRQS may be as low as 16, causing a (harmless?) buffer overflow in pcmcia_setup_isa_irq(): static u8 pcmcia_used_irq[NR_IRQS]; ... if ((try < 32) && pcmcia_used_irq[irq]) continue; This is read-only, so if this address would be non-zero, it would just mean we would not attempt an IRQ >= NR_IRQS -- which would fail anyway! And as request_irq() fails for an irq >= NR_IRQS, the setting code path: pcmcia_used_irq[irq]++; is never reached as well. Reported-by: Christoph Fritz CC: stable@kernel.org Signed-off-by: Dominik Brodowski Signed-off-by: Christoph Fritz --- drivers/pcmcia/pcmcia_resource.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/pcmcia/pcmcia_resource.c b/drivers/pcmcia/pcmcia_resource.c index d48437f83acf..54aa1c238cb3 100644 --- a/drivers/pcmcia/pcmcia_resource.c +++ b/drivers/pcmcia/pcmcia_resource.c @@ -677,7 +677,7 @@ EXPORT_SYMBOL(__pcmcia_request_exclusive_irq); #ifdef CONFIG_PCMCIA_PROBE /* mask of IRQs already reserved by other cards, we should avoid using them */ -static u8 pcmcia_used_irq[NR_IRQS]; +static u8 pcmcia_used_irq[32]; static irqreturn_t test_action(int cpl, void *dev_id) { @@ -700,6 +700,9 @@ static int pcmcia_setup_isa_irq(struct pcmcia_device *p_dev, int type) for (try = 0; try < 64; try++) { irq = try % 32; + if (irq > NR_IRQS) + continue; + /* marked as available by driver, not blocked by userspace? */ if (!((mask >> irq) & 1)) continue;