ACPI: bounds check IRQ to prevent memory corruption

acpi_penalize_isa_irq() should validate irq before using it to index the acpi_irq_penalty[] table. Here's the path I'm concerned about: pnpacpi_parse_allocated_irqresource() { ... irq = acpi_register_gsi(gsi, triggering, polarity); if (irq >= 0) pcibios_penalize_isa_irq(irq, 1); There's no guarantee that acpi_register_gsi() will return an IRQ within the bounds of acpi_irq_penalty[]. I have not seen a failure I can attribute to this. However, ACPI_MAX_IRQS is only 256, and I'm pretty sure ia64 can have IRQs larger than that. I think this should go in 2.6.27. Signed-off-by: Bjorn Helgaas <bjorn.helgaas@hp.com> Signed-off-by: Andi Kleen <ak@linux.intel.com>
2008-08-01 15:58:17 -06:00 · 2008-08-01 15:58:17 -06:00 · fa46d35264
--- a/drivers/acpi/pci_link.c
+++ b/drivers/acpi/pci_link.c
@ -849,7 +849,7 @@ static int __init acpi_irq_penalty_update(char *str, int used)
 		if (irq < 0)
 			continue;

-		if (irq >= ACPI_MAX_IRQS)
+		if (irq >= ARRAY_SIZE(acpi_irq_penalty))
 			continue;

 		if (used)
@ -872,10 +872,12 @@ static int __init acpi_irq_penalty_update(char *str, int used)
 */
 void acpi_penalize_isa_irq(int irq, int active)
 {
-	if (active)
-		acpi_irq_penalty[irq] += PIRQ_PENALTY_ISA_USED;
-	else
-		acpi_irq_penalty[irq] += PIRQ_PENALTY_PCI_USING;
+	if (irq >= 0 && irq < ARRAY_SIZE(acpi_irq_penalty)) {
+		if (active)
+			acpi_irq_penalty[irq] += PIRQ_PENALTY_ISA_USED;
+		else
+			acpi_irq_penalty[irq] += PIRQ_PENALTY_PCI_USING;
+	}
 }

 /*