[PATCH] mpparse: prevent table index out-of-bounds

John Z. Bohach <jzb@aexorsyst.com> found this bug:

  If the board has more than 32 PCI busses on it, the mptable bus array will
  overwrite its bounds for the PCI busses, and stomp on anything that's after
  it.

Prevent possible table overflow and unknown data corruption.  Code is in an
__init section so it will be discarded after init.

Signed-off-by: Randy Dunlap <rdunlap@xenotime.net>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

diff --git a/arch/i386/kernel/mpparse.c b/arch/i386/kernel/mpparse.c
index 4f95c9cf7957993b783c52d2665866cd991a7fe6..34d21e21e0124b89830fa2db7589a9ba06217e96 100644 (file)
--- a/arch/i386/kernel/mpparse.c
+++ b/arch/i386/kernel/mpparse.c
@@ -229,6 +229,13 @@ static void __init MP_bus_info (struct mpc_config_bus *m)
 
        mpc_oem_bus_info(m, str, translation_table[mpc_record]);
 
+       if (m->mpc_busid >= MAX_MP_BUSSES) {
+               printk(KERN_WARNING "MP table busid value (%d) for bustype %s "
+                       " is too large, max. supported is %d\n",
+                       m->mpc_busid, str, MAX_MP_BUSSES - 1);
+               return;
+       }
+
        if (strncmp(str, BUSTYPE_ISA, sizeof(BUSTYPE_ISA)-1) == 0) {
                mp_bus_id_to_type[m->mpc_busid] = MP_BUS_ISA;
        } else if (strncmp(str, BUSTYPE_EISA, sizeof(BUSTYPE_EISA)-1) == 0) {