serial: sirf: Fix out-of-bounds access through DT alias

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The sirf_ports[] array is indexed using a value derived from the
"serialN" alias in DT, which may lead to an out-of-bounds access.

Fix this by adding a range check.

Fixes: a6ffe8966acbb66b ("serial: sirf: use dynamic method allocate uart structure")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Geert Uytterhoeven and committed by

Greg Kroah-Hartman 8 years ago 96c611c2 090fa4b0

1 changed file

expand all

drivers

tty

serial

sirfsoc_uart.c

drivers/tty/serial/sirfsoc_uart.c

··· 1283 1283 goto err; 1284 1284 } 1285 1285 sirfport->port.line = of_alias_get_id(np, "serial"); 1286 + if (sirfport->port.line >= ARRAY_SIZE(sirf_ports)) { 1287 + dev_err(&pdev->dev, "serial%d out of range\n", 1288 + sirfport->port.line); 1289 + return -EINVAL; 1290 + } 1286 1291 sirf_ports[sirfport->port.line] = sirfport; 1287 1292 sirfport->port.iotype = UPIO_MEM; 1288 1293 sirfport->port.flags = UPF_BOOT_AUTOCONF;