On Tue, Jan 05, 2016 at 04:12:38AM +1100, eocallaghan@xxxxxxxxxxxxxxxx wrote: > If the 'image' pointer has been advanced more than 'size', > we've already iterated through memory outside the resource window. > > We have zero control over whatever we find in the option ROM, > if it's even an option ROM and not just an accident of random > data just happening to look like an option ROM. > > Signed-off-by: Edward O'Callaghan <eocallaghan@xxxxxxxxxxxxxxxx> This patch was somehow malformed, but I applied it by hand to pci/resource for v4.5, thanks, Edward! > --- > drivers/pci/rom.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/pci/rom.c b/drivers/pci/rom.c > index eb0ad53..45987ad 100644 > --- a/drivers/pci/rom.c > +++ b/drivers/pci/rom.c > @@ -96,6 +96,9 @@ size_t pci_get_rom_size(struct pci_dev *pdev, void > __iomem *rom, size_t size) > last_image = readb(pds + 21) & 0x80; > length = readw(pds + 16); > image += length * 512; > + /* Avoid iterating through memory outside the resource window */ > + if (image > rom + size) > + break; > } while (length && !last_image); > > /* never return a size larger than the PCI resource window */ > -- > 2.5.0 > > -- > To unsubscribe from this list: send the line "unsubscribe linux-pci" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-pci" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
