From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Tue, 7 Jan 2020 13:04:41 +0000 (+0300)
Subject: cmd64x: potential buffer overflow in cmd64x_program_timings()
X-Git-Tag: v4.4.215~50
X-Git-Url: https://git.fsl.cs.sunysb.edu/?a=commitdiff_plain;h=d83e090023d3f330e08180207a23a3d8add085ee;p=wrapfs-5.3.y.git

cmd64x: potential buffer overflow in cmd64x_program_timings()

[ Upstream commit 117fcc3053606d8db5cef8821dca15022ae578bb ]

The "drive->dn" value is a u8 and it is controlled by root only, but
it could be out of bounds here so let's check.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/drivers/ide/cmd64x.c b/drivers/ide/cmd64x.c
index b127ed60c733..9dde8390da09 100644
--- a/drivers/ide/cmd64x.c
+++ b/drivers/ide/cmd64x.c
@@ -65,6 +65,9 @@ static void cmd64x_program_timings(ide_drive_t *drive, u8 mode)
 	struct ide_timing t;
 	u8 arttim = 0;
 
+	if (drive->dn >= ARRAY_SIZE(drwtim_regs))
+		return;
+
 	ide_timing_compute(drive, mode, &t, T, 0);
 
 	/*