PCI: Avoid iterating through memory outside the resource window

If the 'image' pointer has been advanced more than 'size', we've already iterated through memory outside the resource window. We have zero control over whatever we find in the option ROM, if it's even an option ROM and not just an accident of random data just happening to look like an option ROM. Signed-off-by: N Edward O'Callaghan <eocallaghan@alterapraxis.com> Signed-off-by: N Bjorn Helgaas <bhelgaas@google.com>

PCI: Avoid iterating through memory outside the resource window
If the 'image' pointer has been advanced more than 'size', we've already iterated through memory outside the resource window. We have zero control over whatever we find in the option ROM, if it's even an option ROM and not just an accident of random data just happening to look like an option ROM. Signed-off-by: N Edward O'Callaghan <eocallaghan@alterapraxis.com> Signed-off-by: N Bjorn Helgaas <bhelgaas@google.com>
47b975d2 · Edward O'Callaghan · Bjorn Helgaas · 3460baa6 · 47b975d2
隐藏空白更改
内联并排

Showing with 3 addition and 0 deletion

drivers/pci/rom.c drivers/pci/rom.c +3 -0

未找到文件。
--- a/drivers/pci/rom.c
+++ b/drivers/pci/rom.c
@@ -96,6 +96,9 @@ size_t pci_get_rom_size(struct pci_dev *pdev, void __iomem *rom, size_t size)
 		last_image = readb(pds + 21) & 0x80;
 		length = readw(pds + 16);
 		image += length * 512;
+		/* Avoid iterating through memory outside the resource window */
+		if (image > rom + size)
+			break;
 	} while (length && !last_image);

 	/* never return a size larger than the PCI resource window */