From: Bjorn Helgaas <bhelgaas@xxxxxxxxxx>
VPD is limited in size by the 15-bit VPD Address field in the VPD
Capability. Each resource tag includes a length that determines the
overall size of the resource. Reject any resources that would extend past
the maximum VPD size.
Signed-off-by: Bjorn Helgaas <bhelgaas@xxxxxxxxxx>
---
drivers/pci/vpd.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/drivers/pci/vpd.c b/drivers/pci/vpd.c
index 66703de2cf2b..e52382050e3e 100644
--- a/drivers/pci/vpd.c
+++ b/drivers/pci/vpd.c
@@ -77,6 +77,7 @@ static size_t pci_vpd_size(struct pci_dev *dev, size_t old_size)
while (off < old_size && pci_read_vpd(dev, off, 1, header) == 1) {
unsigned char tag;
+ size_t size;
if (off == 0 && (header[0] == 0x00 || header[0] == 0xff))
goto error;
@@ -94,8 +95,11 @@ static size_t pci_vpd_size(struct pci_dev *dev, size_t old_size)
off + 1);
return 0;
}
- off += PCI_VPD_LRDT_TAG_SIZE +
- pci_vpd_lrdt_size(header);
+ size = pci_vpd_lrdt_size(header);
+ if (off + size > PCI_VPD_MAX_SIZE)
+ goto error;
+
+ off += PCI_VPD_LRDT_TAG_SIZE + size;
} else {
pci_warn(dev, "invalid large VPD tag %02x at offset %zu",
tag, off);
@@ -103,9 +107,12 @@ static size_t pci_vpd_size(struct pci_dev *dev, size_t old_size)
}
} else {
/* Short Resource Data Type Tag */
- off += PCI_VPD_SRDT_TAG_SIZE +
- pci_vpd_srdt_size(header);
tag = pci_vpd_srdt_tag(header);
+ size = pci_vpd_srdt_size(header);
+ if (size == 0 || off + size > PCI_VPD_MAX_SIZE)
+ goto error;
+
+ off += PCI_VPD_SRDT_TAG_SIZE + size;
if (tag == PCI_VPD_STIN_END) /* End tag descriptor */
return off;
}
--
2.25.1
