summaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorZachary Amsden <zach@vmware.com>2006-01-06 00:11:55 -0800
committerLinus Torvalds <torvalds@g5.osdl.org>2006-01-06 08:33:35 -0800
commit5fe9fe3c6f9a1ae7aa224bb7a66eb9aad9e4abef (patch)
treeec120ce6e72700fe49720127bc76228c51bd406b /drivers
parent3fae1c37eea98097de34ba665796fea93b29f4aa (diff)
downloadkernel-crypto-5fe9fe3c6f9a1ae7aa224bb7a66eb9aad9e4abef.tar.gz
kernel-crypto-5fe9fe3c6f9a1ae7aa224bb7a66eb9aad9e4abef.tar.xz
kernel-crypto-5fe9fe3c6f9a1ae7aa224bb7a66eb9aad9e4abef.zip
[PATCH] x86: Pnp byte granularity
The one remaining caller of set_limit, the PnP BIOS code, calls into the PnP BIOS, passing kernel parameters in and out. These parameteres may be passed from arbitrary kernel virtual memory, so they deserve strict protection to stop a bad BIOS from smashing beyond the object size. Unfortunately, the use of set_limit was badly botching this by setting the limit in terms of pages, when it really should have byte granularity. When doing this, I discovered my BIOS had the buggy code during the "get system device node" call: mov ax, es:[bx] Which is harmless, but has a trivial workaround. Signed-off-by: Zachary Amsden <zach@vmware.com> Cc: "Seth, Rohit" <rohit.seth@intel.com> Cc: Stephen Rothwell <sfr@canb.auug.org.au> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/pnp/pnpbios/bioscalls.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/drivers/pnp/pnpbios/bioscalls.c b/drivers/pnp/pnpbios/bioscalls.c
index 37bacfcdbc5..a72126180e9 100644
--- a/drivers/pnp/pnpbios/bioscalls.c
+++ b/drivers/pnp/pnpbios/bioscalls.c
@@ -283,12 +283,15 @@ int pnp_bios_dev_node_info(struct pnp_dev_node_info *data)
static int __pnp_bios_get_dev_node(u8 *nodenum, char boot, struct pnp_bios_node *data)
{
u16 status;
+ u16 tmp_nodenum;
if (!pnp_bios_present())
return PNP_FUNCTION_NOT_SUPPORTED;
if ( !boot && pnpbios_dont_use_current_config )
return PNP_FUNCTION_NOT_SUPPORTED;
+ tmp_nodenum = *nodenum;
status = call_pnp_bios(PNP_GET_SYS_DEV_NODE, 0, PNP_TS1, 0, PNP_TS2, boot ? 2 : 1, PNP_DS, 0,
- nodenum, sizeof(char), data, 65536);
+ &tmp_nodenum, sizeof(tmp_nodenum), data, 65536);
+ *nodenum = tmp_nodenum;
return status;
}