summaryrefslogtreecommitdiffstats
path: root/drivers/of/irq.c
diff options
context:
space:
mode:
authorGrant Likely <grant.likely@linaro.org>2013-11-02 08:11:02 +0100
committerGrant Likely <grant.likely@linaro.org>2013-11-04 00:16:43 +0100
commit355e62f5ad12b005c862838156262eb2df2f8dff (patch)
tree21263268a1e0a9e07680c027f406d42e4d85e268 /drivers/of/irq.c
parentof/irq: Fix bug in interrupt parsing refactor. (diff)
downloadlinux-355e62f5ad12b005c862838156262eb2df2f8dff.tar.xz
linux-355e62f5ad12b005c862838156262eb2df2f8dff.zip
of/irq: Fix potential buffer overflow
Commit 2361613206e6, "of/irq: Refactor interrupt-map parsing" introduced a potential buffer overflow bug because it doesn't do sufficient range checking on the input data. This patch adds the appropriate checking and buffer size adjustments. If the bounds are out of range then warn loudly. MAX_PHANDLE_ARGS should be sufficient. If it is not then the value can be increased. Signed-off-by: Grant Likely <grant.likely@linaro.org> Cc: Rob Herring <rob.herring@calxeda.com>
Diffstat (limited to 'drivers/of/irq.c')
-rw-r--r--drivers/of/irq.c10
1 files changed, 8 insertions, 2 deletions
diff --git a/drivers/of/irq.c b/drivers/of/irq.c
index 52dba6a01423..d385bb824772 100644
--- a/drivers/of/irq.c
+++ b/drivers/of/irq.c
@@ -95,9 +95,9 @@ struct device_node *of_irq_find_parent(struct device_node *child)
int of_irq_parse_raw(const __be32 *addr, struct of_phandle_args *out_irq)
{
struct device_node *ipar, *tnode, *old = NULL, *newpar = NULL;
- __be32 initial_match_array[8];
+ __be32 initial_match_array[MAX_PHANDLE_ARGS];
const __be32 *match_array = initial_match_array;
- const __be32 *tmp, *imap, *imask, dummy_imask[] = { ~0, ~0, ~0, ~0, ~0 };
+ const __be32 *tmp, *imap, *imask, dummy_imask[] = { [0 ... MAX_PHANDLE_ARGS] = ~0 };
u32 intsize = 1, addrsize, newintsize = 0, newaddrsize = 0;
int imaplen, match, i;
@@ -147,6 +147,10 @@ int of_irq_parse_raw(const __be32 *addr, struct of_phandle_args *out_irq)
pr_debug(" -> addrsize=%d\n", addrsize);
+ /* Range check so that the temporary buffer doesn't overflow */
+ if (WARN_ON(addrsize + intsize > MAX_PHANDLE_ARGS))
+ goto fail;
+
/* Precalculate the match array - this simplifies match loop */
for (i = 0; i < addrsize; i++)
initial_match_array[i] = addr ? addr[i] : 0;
@@ -229,6 +233,8 @@ int of_irq_parse_raw(const __be32 *addr, struct of_phandle_args *out_irq)
newintsize, newaddrsize);
/* Check for malformed properties */
+ if (WARN_ON(newaddrsize + newintsize > MAX_PHANDLE_ARGS))
+ goto fail;
if (imaplen < (newaddrsize + newintsize))
goto fail;