提交 47b975d2 编写于 作者: E Edward O'Callaghan 提交者: Bjorn Helgaas

PCI: Avoid iterating through memory outside the resource window

If the 'image' pointer has been advanced more than 'size', we've already
iterated through memory outside the resource window.

We have zero control over whatever we find in the option ROM, if it's even
an option ROM and not just an accident of random data just happening to
look like an option ROM.
Signed-off-by: NEdward O'Callaghan <eocallaghan@alterapraxis.com>
Signed-off-by: NBjorn Helgaas <bhelgaas@google.com>
上级 3460baa6
...@@ -96,6 +96,9 @@ size_t pci_get_rom_size(struct pci_dev *pdev, void __iomem *rom, size_t size) ...@@ -96,6 +96,9 @@ size_t pci_get_rom_size(struct pci_dev *pdev, void __iomem *rom, size_t size)
last_image = readb(pds + 21) & 0x80; last_image = readb(pds + 21) & 0x80;
length = readw(pds + 16); length = readw(pds + 16);
image += length * 512; image += length * 512;
/* Avoid iterating through memory outside the resource window */
if (image > rom + size)
break;
} while (length && !last_image); } while (length && !last_image);
/* never return a size larger than the PCI resource window */ /* never return a size larger than the PCI resource window */
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册