Alan, Dave:
This patch fixes an error in the pnpbios driver's routine
for reading ESCD data. (Note the 'buf' changed to 'tmpbuf'.)
Also, it adds another sanity check.
This bug probably caused the crashes reported by Chris Rankin
and Zwane Mwaikambo some weeks ago.
-- Thomas Hood--- linux-2.4.19-ac4/drivers/pnp/pnpbios_proc.c_ORIG Wed Aug 7 23:31:08 2002 +++ linux-2.4.19-ac4/drivers/pnp/pnpbios_proc.c Fri Aug 9 10:38:29 2002 @@ -62,39 +62,47 @@ "ESCD_size %d\n" "NVRAM_base 0x%x\n", escd.min_escd_write_size, escd.escd_size, escd.nv_storage_base ); } +#define MAX_SANE_ESCD_SIZE (32*1024) static int proc_read_escd(char *buf, char **start, off_t pos, int count, int *eof, void *data) { struct escd_info_struc escd; char *tmpbuf; int escd_size, escd_left_to_read, n; if (pnp_bios_escd_info(&escd)) return -EIO; /* sanity check */ - if (escd.escd_size > (32*1024)) { - printk(KERN_ERR "PnPBIOS: proc_read_escd: ESCD size is too great\n"); + if (escd.escd_size > MAX_SANE_ESCD_SIZE) { + printk(KERN_ERR "PnPBIOS: proc_read_escd: ESCD size reported by BIOS escd_info call is too great\n"); return -EFBIG; } tmpbuf = pnpbios_kmalloc(escd.escd_size, GFP_KERNEL); if (!tmpbuf) return -ENOMEM; if (pnp_bios_read_escd(tmpbuf, escd.nv_storage_base)) return -EIO; - escd_size = (unsigned char)(buf[0]) + (unsigned char)(buf[1])*256; + escd_size = (unsigned char)(tmpbuf[0]) + (unsigned char)(tmpbuf[1])*256; + + /* sanity check */ + if (escd_size > MAX_SANE_ESCD_SIZE) { + printk(KERN_ERR "PnPBIOS: proc_read_escd: ESCD size reported by BIOS read_escd call is too great\n"); + return -EFBIG; + } + escd_left_to_read = escd_size - pos; if (escd_left_to_read < 0) escd_left_to_read = 0; if (escd_left_to_read == 0) *eof = 1; n = min(count,escd_left_to_read); memcpy(buf, tmpbuf + pos, n); kfree(tmpbuf); *start = buf; return n;
__________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Thu Aug 15 2002 - 22:00:19 EST