From 47b975d234eac39f3a72e5496d5f6158d8b806d1 Mon Sep 17 00:00:00 2001 From: Edward O'Callaghan Date: Fri, 8 Jan 2016 12:16:04 -0600 Subject: [PATCH] PCI: Avoid iterating through memory outside the resource window If the 'image' pointer has been advanced more than 'size', we've already iterated through memory outside the resource window. We have zero control over whatever we find in the option ROM, if it's even an option ROM and not just an accident of random data just happening to look like an option ROM. Signed-off-by: Edward O'Callaghan Signed-off-by: Bjorn Helgaas --- drivers/pci/rom.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/pci/rom.c b/drivers/pci/rom.c index eb0ad530dc43..45987adb9eae 100644 --- a/drivers/pci/rom.c +++ b/drivers/pci/rom.c @@ -96,6 +96,9 @@ size_t pci_get_rom_size(struct pci_dev *pdev, void __iomem *rom, size_t size) last_image = readb(pds + 21) & 0x80; length = readw(pds + 16); image += length * 512; + /* Avoid iterating through memory outside the resource window */ + if (image > rom + size) + break; } while (length && !last_image); /* never return a size larger than the PCI resource window */ -- GitLab