Received: by 10.223.185.116 with SMTP id b49csp6343545wrg; Wed, 28 Feb 2018 07:55:00 -0800 (PST) X-Google-Smtp-Source: AH8x227DoJRLUWwtlQXPky2XuoNQN3IoyKC/7tl/3v0CoJlh3CGVSdxd9ZwlikUCQmbXbHQrrqG7 X-Received: by 10.99.117.28 with SMTP id q28mr14642639pgc.187.1519833300097; Wed, 28 Feb 2018 07:55:00 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519833300; cv=none; d=google.com; s=arc-20160816; b=ugbhMDsMJIMAuI61hf2drSy1e1Hfs2sA57QLVSacxpEYwGclchvkAD4bQNqLS2jDH7 5pFAd8xTVriiD3Up19l4M8yF1ePZygtyvKyRufK1udteTdlxBBrk4IytbywvlhGZKnKw 5evE5ktdSuVxEstgpY2AfAykNIK9AmFHMUC4SS6DKZulnwqVUd1k50ZxR/jd6JVL+Obr 8JYoWeAXRj3ueY18yfUxkmJvU7FqURCn22F1hYnbL4GuCFZJ18C2Mofnit7m+Fl1a8CN aJEzqewU/G/y/CmlGpJyHshv8AwJzXbFG2YluBcydEumB/mJqTYu6ga3OBGF4j0Znm0t /9KQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition :arc-authentication-results; bh=bPsH81CTLd2Ze4BrH7WaplYfJ2LSB97QqrHMjVV8JO0=; b=qu8/nvGGhFFMZiGKbNRyb7GTqOYcC7gy5Es47Owk//2d4rxzB9oDBWszNkIfrpDVOR XmEgV+OyX/JhsZbFwxRZ+soBXzQVIw7wQnEtl9jyjHlLda6H3XBJb6VpIgZZrEKsRWdi ZJy/0HIgZl6Vyw0tSXI16F+7A+JTMSpGupUNN2Gy1IufMlgZb+2Mv5iZ/lxf6eqdi1T7 Y/Rys6th08NmgDXx+SJe5GkPxNuQPEt6yRwO16bzN5dqbSYsvYIX4uWd5l5elPHBH3j5 GPtHvQQBVeByXAB86ovOTL6HhsNEjWrYf1aCRXAax3CsTw4CneeLWUWU0OwXL+pFaaP4 KgUQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y86si1395454pfi.19.2018.02.28.07.54.45; Wed, 28 Feb 2018 07:55:00 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934051AbeB1Pxf (ORCPT + 99 others); Wed, 28 Feb 2018 10:53:35 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:34458 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932678AbeB1Pxb (ORCPT ); Wed, 28 Feb 2018 10:53:31 -0500 Received: from [2a02:8011:400e:2:6f00:88c8:c921:d332] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1er3Yi-0006XW-0V; Wed, 28 Feb 2018 15:22:20 +0000 Received: from ben by deadeye with local (Exim 4.90_1) (envelope-from ) id 1er3Yg-00006f-Sq; Wed, 28 Feb 2018 15:22:18 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Jerry Tang" , "Rafael J. Wysocki" , "Takashi Iwai" , "Borislav Petkov" , "Kees Cook" Date: Wed, 28 Feb 2018 15:20:18 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 121/254] ACPI: APEI / ERST: Fix missing error handling in erst_reader() In-Reply-To: X-SA-Exim-Connect-IP: 2a02:8011:400e:2:6f00:88c8:c921:d332 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.55-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Takashi Iwai commit bb82e0b4a7e96494f0c1004ce50cec3d7b5fb3d1 upstream. The commit f6f828513290 ("pstore: pass allocated memory region back to caller") changed the check of the return value from erst_read() in erst_reader() in the following way: if (len == -ENOENT) goto skip; - else if (len < 0) { - rc = -1; + else if (len < sizeof(*rcd)) { + rc = -EIO; goto out; This introduced another bug: since the comparison with sizeof() is cast to unsigned, a negative len value doesn't hit any longer. As a result, when an error is returned from erst_read(), the code falls through, and it may eventually lead to some weird thing like memory corruption. This patch adds the negative error value check more explicitly for addressing the issue. Fixes: f6f828513290 (pstore: pass allocated memory region back to caller) Tested-by: Jerry Tang Signed-off-by: Takashi Iwai Acked-by: Kees Cook Reviewed-by: Borislav Petkov Signed-off-by: Rafael J. Wysocki Signed-off-by: Ben Hutchings --- drivers/acpi/apei/erst.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/acpi/apei/erst.c +++ b/drivers/acpi/apei/erst.c @@ -1023,7 +1023,7 @@ skip: /* The record may be cleared by others, try read next record */ if (len == -ENOENT) goto skip; - else if (len < sizeof(*rcd)) { + else if (len < 0 || len < sizeof(*rcd)) { rc = -EIO; goto out; }