| Message ID | 20200107130607.tv3uosduwkw3yka6@kili.mountain |
|---|---|
| State | Accepted |
| Delegated to: | David Miller |
| Headers | show |
| Series | [1/2] cmd64x: potential buffer overflow in cmd64x_program_timings() | expand |
From: Dan Carpenter <dan.carpenter@oracle.com> Date: Tue, 7 Jan 2020 16:06:07 +0300 > The "drive->dn" variable is a u8 controlled by root. > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Applied.
On 1/20/20 2:40 PM, David Miller wrote: > From: Dan Carpenter <dan.carpenter@oracle.com> > Date: Tue, 7 Jan 2020 16:06:07 +0300 > >> The "drive->dn" variable is a u8 controlled by root. >> >> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> drive->dn should not be root controllable, please point me where it happens as this may need fixing instead of serverworks driver. [ IDE core makes sure that drive->dn is never > 3 and a lot of code assumes it. ] > Applied. Best regards, -- Bartlomiej Zolnierkiewicz Samsung R&D Institute Poland Samsung Electronics
diff --git a/drivers/ide/serverworks.c b/drivers/ide/serverworks.c index ac6fc3fffa0d..458e72e034b0 100644 --- a/drivers/ide/serverworks.c +++ b/drivers/ide/serverworks.c @@ -115,6 +115,9 @@ static void svwks_set_pio_mode(ide_hwif_t *hwif, ide_drive_t *drive) struct pci_dev *dev = to_pci_dev(hwif->dev); const u8 pio = drive->pio_mode - XFER_PIO_0; + if (drive->dn >= ARRAY_SIZE(drive_pci)) + return; + pci_write_config_byte(dev, drive_pci[drive->dn], pio_modes[pio]); if (svwks_csb_check(dev)) { @@ -141,6 +144,9 @@ static void svwks_set_dma_mode(ide_hwif_t *hwif, ide_drive_t *drive) u8 ultra_enable = 0, ultra_timing = 0, dma_timing = 0; + if (drive->dn >= ARRAY_SIZE(drive_pci2)) + return; + pci_read_config_byte(dev, (0x56|hwif->channel), &ultra_timing); pci_read_config_byte(dev, 0x54, &ultra_enable);
The "drive->dn" variable is a u8 controlled by root. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- drivers/ide/serverworks.c | 6 ++++++ 1 file changed, 6 insertions(+)