From: Bjorn Helgaas <bjorn.helgaas@hp.com>
Date: Fri, 1 Aug 2008 21:58:17 +0000 (-0600)
Subject: ACPI: bounds check IRQ to prevent memory corruption
X-Git-Tag: v2.6.27-rc4~68^2^4
X-Git-Url: http://www.pilppa.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=fa46d3526461e8aa7c0fb39cc1b98ac656695a43;p=linux-2.6-omap-h63xx.git

ACPI: bounds check IRQ to prevent memory corruption

acpi_penalize_isa_irq() should validate irq before using it to
index the acpi_irq_penalty[] table.

Here's the path I'm concerned about:

    pnpacpi_parse_allocated_irqresource()
    {
	...
	irq = acpi_register_gsi(gsi, triggering, polarity);
	if (irq >= 0)
		pcibios_penalize_isa_irq(irq, 1);

There's no guarantee that acpi_register_gsi() will return an IRQ
within the bounds of acpi_irq_penalty[].

I have not seen a failure I can attribute to this.  However,
ACPI_MAX_IRQS is only 256, and I'm pretty sure ia64 can have
IRQs larger than that.

I think this should go in 2.6.27.

Signed-off-by: Bjorn Helgaas <bjorn.helgaas@hp.com>
Signed-off-by: Andi Kleen <ak@linux.intel.com>
---

diff --git a/drivers/acpi/pci_link.c b/drivers/acpi/pci_link.c
index 89f3b2abfdc..cf47805a744 100644
--- a/drivers/acpi/pci_link.c
+++ b/drivers/acpi/pci_link.c
@@ -849,7 +849,7 @@ static int __init acpi_irq_penalty_update(char *str, int used)
 		if (irq < 0)
 			continue;
 
-		if (irq >= ACPI_MAX_IRQS)
+		if (irq >= ARRAY_SIZE(acpi_irq_penalty))
 			continue;
 
 		if (used)
@@ -872,10 +872,12 @@ static int __init acpi_irq_penalty_update(char *str, int used)
  */
 void acpi_penalize_isa_irq(int irq, int active)
 {
-	if (active)
-		acpi_irq_penalty[irq] += PIRQ_PENALTY_ISA_USED;
-	else
-		acpi_irq_penalty[irq] += PIRQ_PENALTY_PCI_USING;
+	if (irq >= 0 && irq < ARRAY_SIZE(acpi_irq_penalty)) {
+		if (active)
+			acpi_irq_penalty[irq] += PIRQ_PENALTY_ISA_USED;
+		else
+			acpi_irq_penalty[irq] += PIRQ_PENALTY_PCI_USING;
+	}
 }
 
 /*