commit 127c03cdbad9bd5af5d7f33bd31a1015a90cb77f
author Dominik Brodowski <linux@dominikbrodowski.net> Tue Aug 03 09:33:45 2010 +0200
committer Dominik Brodowski <linux@dominikbrodowski.net> Tue Aug 03 16:43:13 2010 +0200
tree a948c5814a7d2e82801927bc3d5f06d3d7056ab0
parent 0f52e86ded65749c6037473013ad77b2afa4f68d

pcmcia: avoid buffer overflow in pcmcia_setup_isa_irq

NR_IRQS may be as low as 16, causing a (harmless?) buffer overflow in
pcmcia_setup_isa_irq():

static u8 pcmcia_used_irq[NR_IRQS];

...

		if ((try < 32) && pcmcia_used_irq[irq])
			continue;

This is read-only, so if this address would be non-zero, it would just
mean we would not attempt an IRQ >= NR_IRQS -- which would fail anyway!
And as request_irq() fails for an irq >= NR_IRQS, the setting code path:

			pcmcia_used_irq[irq]++;

is never reached as well.

Reported-by: Christoph Fritz <chf.fritz@googlemail.com>
CC: stable@kernel.org
Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
Signed-off-by: Christoph Fritz <chf.fritz@googlemail.com>

drivers/pcmcia/pcmcia_resource.c

diff --git a/drivers/pcmcia/pcmcia_resource.c b/drivers/pcmcia/pcmcia_resource.c
index d48437f..54aa1c2 100644
--- a/drivers/pcmcia/pcmcia_resource.c
+++ b/drivers/pcmcia/pcmcia_resource.c
@@ -677,7 +677,7 @@
 #ifdef CONFIG_PCMCIA_PROBE
 
 /* mask of IRQs already reserved by other cards, we should avoid using them */
-static u8 pcmcia_used_irq[NR_IRQS];
+static u8 pcmcia_used_irq[32];
 
 static irqreturn_t test_action(int cpl, void *dev_id)
 {
@@ -700,6 +700,9 @@
 	for (try = 0; try < 64; try++) {
 		irq = try % 32;
 
+		if (irq > NR_IRQS)
+			continue;
+
 		/* marked as available by driver, not blocked by userspace? */
 		if (!((mask >> irq) & 1))
 			continue;