diff options
| author | Bjorn Helgaas <bhelgaas@google.com> | 2021-07-15 16:59:57 -0500 |
|---|---|---|
| committer | Bjorn Helgaas <bhelgaas@google.com> | 2021-08-09 13:42:56 -0500 |
| commit | 6303049d16f0e69d0449c3c80d0e3695d4f02f94 (patch) | |
| tree | d38ac779a18ed87de625612cd2ab8149e4525972 /drivers | |
| parent | 4e0d77f8e831fcbe86a02dd0ead12d9c8c057700 (diff) | |
| download | linux-6303049d16f0e69d0449c3c80d0e3695d4f02f94.tar.bz2 | |
PCI/VPD: Reject resource tags with invalid size
VPD is limited in size by the 15-bit VPD Address field in the VPD
Capability. Each resource tag includes a length that determines the
overall size of the resource. Reject any resources that would extend past
the maximum VPD size.
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Diffstat (limited to 'drivers')
| -rw-r--r-- | drivers/pci/vpd.c | 24 |
1 files changed, 15 insertions, 9 deletions
diff --git a/drivers/pci/vpd.c b/drivers/pci/vpd.c index 05e4df0a84d3..850deff0dd43 100644 --- a/drivers/pci/vpd.c +++ b/drivers/pci/vpd.c @@ -72,11 +72,11 @@ EXPORT_SYMBOL(pci_write_vpd); */ static size_t pci_vpd_size(struct pci_dev *dev, size_t old_size) { - size_t off = 0; - unsigned char header[1+2]; /* 1 byte tag, 2 bytes length */ + size_t off = 0, size; + unsigned char tag, header[1+2]; /* 1 byte tag, 2 bytes length */ while (off < old_size && pci_read_vpd(dev, off, 1, header) == 1) { - unsigned char tag; + size = 0; if (off == 0 && (header[0] == 0x00 || header[0] == 0xff)) goto error; @@ -94,8 +94,11 @@ static size_t pci_vpd_size(struct pci_dev *dev, size_t old_size) off + 1); return 0; } - off += PCI_VPD_LRDT_TAG_SIZE + - pci_vpd_lrdt_size(header); + size = pci_vpd_lrdt_size(header); + if (off + size > PCI_VPD_MAX_SIZE) + goto error; + + off += PCI_VPD_LRDT_TAG_SIZE + size; } else { pci_warn(dev, "invalid large VPD tag %02x at offset %zu\n", tag, off); @@ -103,9 +106,12 @@ static size_t pci_vpd_size(struct pci_dev *dev, size_t old_size) } } else { /* Short Resource Data Type Tag */ - off += PCI_VPD_SRDT_TAG_SIZE + - pci_vpd_srdt_size(header); tag = pci_vpd_srdt_tag(header); + size = pci_vpd_srdt_size(header); + if (off + size > PCI_VPD_MAX_SIZE) + goto error; + + off += PCI_VPD_SRDT_TAG_SIZE + size; if (tag == PCI_VPD_STIN_END) /* End tag descriptor */ return off; } @@ -113,8 +119,8 @@ static size_t pci_vpd_size(struct pci_dev *dev, size_t old_size) return 0; error: - pci_info(dev, "invalid VPD tag %#04x at offset %zu%s\n", - header[0], off, off == 0 ? + pci_info(dev, "invalid VPD tag %#04x (size %zu) at offset %zu%s\n", + header[0], size, off, off == 0 ? "; assume missing optional EEPROM" : ""); return 0; } |