[PATCH] mpparse: prevent table index out-of-bounds

On Thu, 6 Apr 2006 09:18:45 -0700 John Z. Bohach wrote:

Re: mem= causes oops (was Re: BIOS causes (exposes?) modprobe (load_module) kernel oops)

> I found the root cause, but don't know if its worth fixing.  If the board has more than
> 32 PCI busses on it, the mptable bus array will overwrite its bounds for the PCI busses,
> and stomp on anything that's after it.  In this case, what got stomped on is the PAGE_KERNEL_EXEC
> variable, which changed the bit-field settings for the page tables (cleared the 'present' bit,
> and screwed up the rest), hence accounting for the page fault.

Well, > 32 busses or just one busid value >= 32.

> This can only happen if there are more than 32 PCI busses, so I'd say its an _extremely_ rare
> condition on a desktop system.  At any rate, the fix would simply be to change the value of the
> #define in the mptable.h header file (I forget which exactly, but its easy to find) from 32 to 256.
> The side effect of that is that the kernel data area would grow, and mostly be a total waste,
> since I can't fathom a desktop system with more than 32 PCI busses.  On arch's where more than
> 32 PCI busses are likely, the #define is already 256.

I think that the kernel init code should detect and prevent the
data corruption.  Here's a patch to do that, by ignoring busses
whose busid value is too large.
~~~


From: Randy Dunlap <[email protected]>

Prevent possible table overflow and unknown data corruption.
Code is in an __init section so it will be discarded after init.

Signed-off-by: Randy Dunlap <[email protected]>
---
 arch/i386/kernel/mpparse.c |    7 +++++++
 1 files changed, 7 insertions(+)

--- linux-2617-rc1.orig/arch/i386/kernel/mpparse.c
+++ linux-2617-rc1/arch/i386/kernel/mpparse.c
@@ -249,6 +249,13 @@ static void __init MP_bus_info (struct m
 
 	mpc_oem_bus_info(m, str, translation_table[mpc_record]);
 
+	if (m->mpc_busid >= MAX_MP_BUSSES) {
+		printk(KERN_WARNING "MP table busid value (%d) for bustype %s "
+			" is too large, max. supported is %d\n",
+			m->mpc_busid, str, MAX_MP_BUSSES - 1);
+		return;
+	}
+
 	if (strncmp(str, BUSTYPE_ISA, sizeof(BUSTYPE_ISA)-1) == 0) {
 		mp_bus_id_to_type[m->mpc_busid] = MP_BUS_ISA;
 	} else if (strncmp(str, BUSTYPE_EISA, sizeof(BUSTYPE_EISA)-1) == 0) {

---
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

---

• Follow-Ups:
  • Re: [PATCH] mpparse: prevent table index out-of-bounds
    • From: "John Z. Bohach" <[email protected]>

• References:
  • Re: mem= causes oops (was Re: BIOS causes (exposes?) modprobe (load_module) kernel oops)
    • From: "Randy.Dunlap" <[email protected]>
  • Re: mem= causes oops (was Re: BIOS causes (exposes?) modprobe (load_module) kernel oops)
    • From: "John Z. Bohach" <[email protected]>

• Prev by Date: [PATCH] pl2303: added support for OTi's DKU-5 clone cable
• Next by Date: [PATCH] mptspec: remove duplicate #Include
• Previous by thread: Re: mem= causes oops (was Re: BIOS causes (exposes?) modprobe (load_module) kernel oops)
• Next by thread: Re: [PATCH] mpparse: prevent table index out-of-bounds
• Index(es):
  • Date
  • Thread

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]