diff options
| author | Luka Perkov <luka@openwrt.org> | 2014-02-11 02:07:44 +0000 |
|---|---|---|
| committer | Luka Perkov <luka@openwrt.org> | 2014-02-11 02:07:44 +0000 |
| commit | c9ae111a20be4c9555128cced8edded660d133df (patch) | |
| tree | fd4809b562d454394cbb9ec517bf3f1ef2d5b6f2 /target/linux/mvebu/patches-3.10/0191-of-irq-Fix-potential-buffer-overflow.patch | |
| parent | 3af779eb172b0438f77e8a01a97dd0eb9a146076 (diff) | |
| download | upstream-c9ae111a20be4c9555128cced8edded660d133df.tar.gz upstream-c9ae111a20be4c9555128cced8edded660d133df.tar.bz2 upstream-c9ae111a20be4c9555128cced8edded660d133df.zip | |
mvebu: backport mainline patches from kernel 3.13
This is a backport of the patches accepted to the Linux mainline related to
mvebu SoC (Armada XP and Armada 370) between Linux v3.12, and Linux v3.13.
This work mainly covers:
* Finishes work for sharing the pxa nand driver(drivers/mtd/nand/pxa3xx_nand.c)
between the PXA family, and the Armada family.
* timer initialization update, and access function for the Armada family.
* Generic IRQ handling backporting.
* Some bug fixes.
Signed-off-by: Seif Mazareeb <seif.mazareeb@gmail.com>
CC: Luka Perkov <luka@openwrt.org>
SVN-Revision: 39566
Diffstat (limited to 'target/linux/mvebu/patches-3.10/0191-of-irq-Fix-potential-buffer-overflow.patch')
| -rw-r--r-- | target/linux/mvebu/patches-3.10/0191-of-irq-Fix-potential-buffer-overflow.patch | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/target/linux/mvebu/patches-3.10/0191-of-irq-Fix-potential-buffer-overflow.patch b/target/linux/mvebu/patches-3.10/0191-of-irq-Fix-potential-buffer-overflow.patch new file mode 100644 index 0000000000..9c7908d7b9 --- /dev/null +++ b/target/linux/mvebu/patches-3.10/0191-of-irq-Fix-potential-buffer-overflow.patch @@ -0,0 +1,52 @@ +From 5a1bd82f089e19ba049a871a0d5538ed9eb5e5cd Mon Sep 17 00:00:00 2001 +From: Grant Likely <grant.likely@linaro.org> +Date: Thu, 19 Dec 2013 09:31:02 -0300 +Subject: [PATCH 191/203] of/irq: Fix potential buffer overflow + +Commit 2361613206e6, "of/irq: Refactor interrupt-map parsing" introduced +a potential buffer overflow bug because it doesn't do sufficient range +checking on the input data. This patch adds the appropriate checking and +buffer size adjustments. If the bounds are out of range then warn +loudly. MAX_PHANDLE_ARGS should be sufficient. If it is not then the +value can be increased. + +Signed-off-by: Grant Likely <grant.likely@linaro.org> +Cc: Rob Herring <rob.herring@calxeda.com> +--- + drivers/of/irq.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/of/irq.c ++++ b/drivers/of/irq.c +@@ -95,9 +95,9 @@ struct device_node *of_irq_find_parent(s + int of_irq_parse_raw(const __be32 *addr, struct of_phandle_args *out_irq) + { + struct device_node *ipar, *tnode, *old = NULL, *newpar = NULL; +- __be32 initial_match_array[8]; ++ __be32 initial_match_array[MAX_PHANDLE_ARGS]; + const __be32 *match_array = initial_match_array; +- const __be32 *tmp, *imap, *imask, dummy_imask[] = { ~0, ~0, ~0, ~0, ~0 }; ++ const __be32 *tmp, *imap, *imask, dummy_imask[] = { [0 ... MAX_PHANDLE_ARGS] = ~0 }; + u32 intsize = 1, addrsize, newintsize = 0, newaddrsize = 0; + int imaplen, match, i; + +@@ -147,6 +147,10 @@ int of_irq_parse_raw(const __be32 *addr, + + pr_debug(" -> addrsize=%d\n", addrsize); + ++ /* Range check so that the temporary buffer doesn't overflow */ ++ if (WARN_ON(addrsize + intsize > MAX_PHANDLE_ARGS)) ++ goto fail; ++ + /* Precalculate the match array - this simplifies match loop */ + for (i = 0; i < addrsize; i++) + initial_match_array[i] = addr ? addr[i] : 0; +@@ -229,6 +233,8 @@ int of_irq_parse_raw(const __be32 *addr, + newintsize, newaddrsize); + + /* Check for malformed properties */ ++ if (WARN_ON(newaddrsize + newintsize > MAX_PHANDLE_ARGS)) ++ goto fail; + if (imaplen < (newaddrsize + newintsize)) + goto fail; + |