aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBjorn Helgaas2021-07-15 16:59:57 -0500
committerBjorn Helgaas2021-08-09 13:42:56 -0500
commit6303049d16f0e69d0449c3c80d0e3695d4f02f94 (patch)
treed38ac779a18ed87de625612cd2ab8149e4525972
parent4e0d77f8e831fcbe86a02dd0ead12d9c8c057700 (diff)
PCI/VPD: Reject resource tags with invalid size
VPD is limited in size by the 15-bit VPD Address field in the VPD Capability. Each resource tag includes a length that determines the overall size of the resource. Reject any resources that would extend past the maximum VPD size. Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> Reviewed-by: Hannes Reinecke <hare@suse.de>
-rw-r--r--drivers/pci/vpd.c24
1 files changed, 15 insertions, 9 deletions
diff --git a/drivers/pci/vpd.c b/drivers/pci/vpd.c
index 05e4df0a84d3..850deff0dd43 100644
--- a/drivers/pci/vpd.c
+++ b/drivers/pci/vpd.c
@@ -72,11 +72,11 @@ EXPORT_SYMBOL(pci_write_vpd);
*/
static size_t pci_vpd_size(struct pci_dev *dev, size_t old_size)
{
- size_t off = 0;
- unsigned char header[1+2]; /* 1 byte tag, 2 bytes length */
+ size_t off = 0, size;
+ unsigned char tag, header[1+2]; /* 1 byte tag, 2 bytes length */
while (off < old_size && pci_read_vpd(dev, off, 1, header) == 1) {
- unsigned char tag;
+ size = 0;
if (off == 0 && (header[0] == 0x00 || header[0] == 0xff))
goto error;
@@ -94,8 +94,11 @@ static size_t pci_vpd_size(struct pci_dev *dev, size_t old_size)
off + 1);
return 0;
}
- off += PCI_VPD_LRDT_TAG_SIZE +
- pci_vpd_lrdt_size(header);
+ size = pci_vpd_lrdt_size(header);
+ if (off + size > PCI_VPD_MAX_SIZE)
+ goto error;
+
+ off += PCI_VPD_LRDT_TAG_SIZE + size;
} else {
pci_warn(dev, "invalid large VPD tag %02x at offset %zu\n",
tag, off);
@@ -103,9 +106,12 @@ static size_t pci_vpd_size(struct pci_dev *dev, size_t old_size)
}
} else {
/* Short Resource Data Type Tag */
- off += PCI_VPD_SRDT_TAG_SIZE +
- pci_vpd_srdt_size(header);
tag = pci_vpd_srdt_tag(header);
+ size = pci_vpd_srdt_size(header);
+ if (off + size > PCI_VPD_MAX_SIZE)
+ goto error;
+
+ off += PCI_VPD_SRDT_TAG_SIZE + size;
if (tag == PCI_VPD_STIN_END) /* End tag descriptor */
return off;
}
@@ -113,8 +119,8 @@ static size_t pci_vpd_size(struct pci_dev *dev, size_t old_size)
return 0;
error:
- pci_info(dev, "invalid VPD tag %#04x at offset %zu%s\n",
- header[0], off, off == 0 ?
+ pci_info(dev, "invalid VPD tag %#04x (size %zu) at offset %zu%s\n",
+ header[0], size, off, off == 0 ?
"; assume missing optional EEPROM" : "");
return 0;
}