[PATCH] early_serial_setup array bounds check (2.6)

From: Bjorn Helgaas
Date: Thu Oct 16 2003 - 13:33:08 EST

Next message: Robert Love: "Re: Transparent compression in the FS"
Previous message: Jesper Juhl: "[PATCH] Minor fix for wrong format in drivers/mtd/inftlcore.c(2.6.0-test7)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

early_serial_setup() doesn't validate the array index,
so a caller could corrupt memory after serial8250_ports[]
by supplying a value of port->line that's too large.

I haven't seen a failure related to this, but it seems fragile
to rely on callers to know how many ports the driver
supports.

Bjorn

===== drivers/serial/8250.c 1.40 vs edited =====
--- 1.40/drivers/serial/8250.c Sun Oct 5 15:07:20 2003
+++ edited/drivers/serial/8250.c Thu Oct 16 10:01:07 2003
@@ -2086,6 +2086,9 @@

int __init early_serial_setup(struct uart_port *port)
{
+ if (port->line >= ARRAY_SIZE(serial8250_ports))
+ return -ENODEV;
+
serial8250_isa_init_ports();
serial8250_ports[port->line].port = *port;
serial8250_ports[port->line].port.ops = &serial8250_pops;

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Robert Love: "Re: Transparent compression in the FS"
Previous message: Jesper Juhl: "[PATCH] Minor fix for wrong format in drivers/mtd/inftlcore.c(2.6.0-test7)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]