161789 – GET_INDEX macro in aspm pci fixup code can overwrite end of the array

Bug 161789 - GET_INDEX macro in aspm pci fixup code can overwrite end of the array

Summary: GET_INDEX macro in aspm pci fixup code can overwrite end of the array

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 4
Classification:	Red Hat
Component:	kernel
Sub Component:
Version:	4.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Neil Horman
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	156322
TreeView+	depends on / blocked

Reported:	2005-06-27 11:57 UTC by Neil Horman
Modified:	2007-11-30 22:07 UTC (History)
CC List:	3 users (show)
Fixed In Version:	RHSA-2005-514
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2005-10-05 13:36:40 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Backport of Intels upstream patch to restrict the GET_INDEX array to only use the lower 3 bits of the devfn value (514 bytes, patch) 2005-06-27 11:57 UTC, Neil Horman	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2005:514	0	qe-ready	SHIPPED_LIVE	Important: Updated kernel packages available for Red Hat Enterprise Linux 4 Update 2	2005-10-05 04:00:00 UTC

Description Neil Horman 2005-06-27 11:57:15 UTC

Description of problem:
the GET_INDEX macro in arch/i386/pci/fixup.c fails to only use the lower 3 bits
of a pci devices devfn value.  As such, certain pcidevices with a sufficiently
large bus/device/function tuple can index too far into the quirk_aspm_offset
array, overwriting parts of memory

Version-Release number of selected component (if applicable):
RHEL4, all versions

How reproducible:
Unknown

Steps to Reproduce:
1.
2.
3.
  
Actual results:
memory which is allocated immediately after the quirk_aspm_offset array can
become corrupted

Expected results:
No memory corruption

Additional info:

Comment 1 Neil Horman 2005-06-27 11:57:15 UTC

Created attachment 116008 [details]
Backport of Intels upstream patch to restrict the GET_INDEX array to only use the lower 3 bits of the devfn value

Comment 7 Red Hat Bugzilla 2005-10-05 13:36:40 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-514.html

Note You need to log in before you can comment on or make changes to this bug.