From: Rex Zhu <Rex.Zhu@amd.com>
Date: Tue, 5 Jun 2018 01:46:45 +0000 (+0800)
Subject: PCI: Avoid accessing memory outside the ROM BAR
X-Git-Tag: v4.19-rc1~123^2~11^2~2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=445ec321e71b3124abacfb358f72ac6a70d87602;p=thirdparty%2Fkernel%2Flinux.git

PCI: Avoid accessing memory outside the ROM BAR

pci_get_rom_size() accepts the base and size of the ROM BAR as arguments.
The byte at "rom + size" is the first byte *past* the ROM, so change ">" to
">=" to avoid accessing beyond the actual length of the ROM BAR.

Signed-off-by: Rex Zhu <Rex.Zhu@amd.com>
[bhelgaas: changelog]
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
---

diff --git a/drivers/pci/rom.c b/drivers/pci/rom.c
index a7b5c37a85ec3..946795fc00718 100644
--- a/drivers/pci/rom.c
+++ b/drivers/pci/rom.c
@@ -106,7 +106,7 @@ size_t pci_get_rom_size(struct pci_dev *pdev, void __iomem *rom, size_t size)
 		length = readw(pds + 16);
 		image += length * 512;
 		/* Avoid iterating through memory outside the resource window */
-		if (image > rom + size)
+		if (image >= rom + size)
 			break;
 	} while (length && !last_image);