[1/2] PCI: Avoid access memory outside the resource window

Message ID 1528163206-4136-1-git-send-email-Rex.Zhu@amd.com
State Accepted
Delegated to: Bjorn Helgaas
Headers show
Series
  • [1/2] PCI: Avoid access memory outside the resource window
Related show

Commit Message

Rex Zhu June 5, 2018, 1:46 a.m.
change ">" to ">=" to avoid access beyond the actual
length of io memory.

Signed-off-by: Rex Zhu <Rex.Zhu@amd.com>
---
 drivers/pci/rom.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Deucher, Alexander June 12, 2018, 2:34 p.m. | #1
> -----Original Message-----
> From: Rex Zhu [mailto:Rex.Zhu@amd.com]
> Sent: Monday, June 4, 2018 9:47 PM
> To: bhelgaas@google.com; Daenzer, Michel <Michel.Daenzer@amd.com>;
> Deucher, Alexander <Alexander.Deucher@amd.com>; linux-
> pci@vger.kernel.org
> Cc: Zhu, Rex <Rex.Zhu@amd.com>
> Subject: [PATCH 1/2] PCI: Avoid access memory outside the resource
> window
> 
> change ">" to ">=" to avoid access beyond the actual length of io memory.
> 
> Signed-off-by: Rex Zhu <Rex.Zhu@amd.com>

Series is:
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>

> ---
>  drivers/pci/rom.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/pci/rom.c b/drivers/pci/rom.c index 374a334..a5c6016
> 100644
> --- a/drivers/pci/rom.c
> +++ b/drivers/pci/rom.c
> @@ -108,7 +108,7 @@ size_t pci_get_rom_size(struct pci_dev *pdev, void
> __iomem *rom, size_t size)
>  		length = readw(pds + 16);
>  		image += length * 512;
>  		/* Avoid iterating through memory outside the resource
> window */
> -		if (image > rom + size)
> +		if (image >= rom + size)
>  			break;
>  	} while (length && !last_image);
> 
> --
> 1.9.1
Bjorn Helgaas June 30, 2018, 2:20 a.m. | #2
On Tue, Jun 05, 2018 at 09:46:45AM +0800, Rex Zhu wrote:
> change ">" to ">=" to avoid access beyond the actual
> length of io memory.
> 
> Signed-off-by: Rex Zhu <Rex.Zhu@amd.com>

Both applied with Alex's reviewed-by to pci/resource for v4.19, thanks!

I also added a patch to make pci_get_rom_size() static, since it's only
used by pci_map_rom().

> ---
>  drivers/pci/rom.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/pci/rom.c b/drivers/pci/rom.c
> index 374a334..a5c6016 100644
> --- a/drivers/pci/rom.c
> +++ b/drivers/pci/rom.c
> @@ -108,7 +108,7 @@ size_t pci_get_rom_size(struct pci_dev *pdev, void __iomem *rom, size_t size)
>  		length = readw(pds + 16);
>  		image += length * 512;
>  		/* Avoid iterating through memory outside the resource window */
> -		if (image > rom + size)
> +		if (image >= rom + size)
>  			break;
>  	} while (length && !last_image);
>  
> -- 
> 1.9.1
>

Patch

diff --git a/drivers/pci/rom.c b/drivers/pci/rom.c
index 374a334..a5c6016 100644
--- a/drivers/pci/rom.c
+++ b/drivers/pci/rom.c
@@ -108,7 +108,7 @@  size_t pci_get_rom_size(struct pci_dev *pdev, void __iomem *rom, size_t size)
 		length = readw(pds + 16);
 		image += length * 512;
 		/* Avoid iterating through memory outside the resource window */
-		if (image > rom + size)
+		if (image >= rom + size)
 			break;
 	} while (length && !last_image);