Received: by 10.223.185.116 with SMTP id b49csp6343545wrg;
        Wed, 28 Feb 2018 07:55:00 -0800 (PST)
X-Google-Smtp-Source: AH8x227DoJRLUWwtlQXPky2XuoNQN3IoyKC/7tl/3v0CoJlh3CGVSdxd9ZwlikUCQmbXbHQrrqG7
X-Received: by 10.99.117.28 with SMTP id q28mr14642639pgc.187.1519833300097;
        Wed, 28 Feb 2018 07:55:00 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1519833300; cv=none;
        d=google.com; s=arc-20160816;
        b=ugbhMDsMJIMAuI61hf2drSy1e1Hfs2sA57QLVSacxpEYwGclchvkAD4bQNqLS2jDH7
         5pFAd8xTVriiD3Up19l4M8yF1ePZygtyvKyRufK1udteTdlxBBrk4IytbywvlhGZKnKw
         5evE5ktdSuVxEstgpY2AfAykNIK9AmFHMUC4SS6DKZulnwqVUd1k50ZxR/jd6JVL+Obr
         8JYoWeAXRj3ueY18yfUxkmJvU7FqURCn22F1hYnbL4GuCFZJ18C2Mofnit7m+Fl1a8CN
         aJEzqewU/G/y/CmlGpJyHshv8AwJzXbFG2YluBcydEumB/mJqTYu6ga3OBGF4j0Znm0t
         /9KQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to
         :from:mime-version:content-transfer-encoding:content-disposition
         :arc-authentication-results;
        bh=bPsH81CTLd2Ze4BrH7WaplYfJ2LSB97QqrHMjVV8JO0=;
        b=qu8/nvGGhFFMZiGKbNRyb7GTqOYcC7gy5Es47Owk//2d4rxzB9oDBWszNkIfrpDVOR
         XmEgV+OyX/JhsZbFwxRZ+soBXzQVIw7wQnEtl9jyjHlLda6H3XBJb6VpIgZZrEKsRWdi
         ZJy/0HIgZl6Vyw0tSXI16F+7A+JTMSpGupUNN2Gy1IufMlgZb+2Mv5iZ/lxf6eqdi1T7
         Y/Rys6th08NmgDXx+SJe5GkPxNuQPEt6yRwO16bzN5dqbSYsvYIX4uWd5l5elPHBH3j5
         GPtHvQQBVeByXAB86ovOTL6HhsNEjWrYf1aCRXAax3CsTw4CneeLWUWU0OwXL+pFaaP4
         KgUQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id y86si1395454pfi.19.2018.02.28.07.54.45;
        Wed, 28 Feb 2018 07:55:00 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S934051AbeB1Pxf (ORCPT <rfc822;speed.demon0047@gmail.com>
        + 99 others); Wed, 28 Feb 2018 10:53:35 -0500
Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:34458 "EHLO
        shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S932678AbeB1Pxb (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 28 Feb 2018 10:53:31 -0500
Received: from [2a02:8011:400e:2:6f00:88c8:c921:d332] (helo=deadeye)
        by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
        (Exim 4.84_2)
        (envelope-from <ben@decadent.org.uk>)
        id 1er3Yi-0006XW-0V; Wed, 28 Feb 2018 15:22:20 +0000
Received: from ben by deadeye with local (Exim 4.90_1)
        (envelope-from <ben@decadent.org.uk>)
        id 1er3Yg-00006f-Sq; Wed, 28 Feb 2018 15:22:18 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
From:   Ben Hutchings <ben@decadent.org.uk>
To:     linux-kernel@vger.kernel.org, stable@vger.kernel.org
CC:     akpm@linux-foundation.org, "Jerry Tang" <jtang@suse.com>,
        "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>,
        "Takashi Iwai" <tiwai@suse.de>, "Borislav Petkov" <bp@suse.de>,
        "Kees Cook" <keescook@chromium.org>
Date:   Wed, 28 Feb 2018 15:20:18 +0000
Message-ID: <lsq.1519831218.540430918@decadent.org.uk>
X-Mailer: LinuxStableQueue (scripts by bwh)
Subject: [PATCH 3.16 121/254] ACPI: APEI / ERST: Fix missing error
 handling in erst_reader()
In-Reply-To: <lsq.1519831217.271785318@decadent.org.uk>
X-SA-Exim-Connect-IP: 2a02:8011:400e:2:6f00:88c8:c921:d332
X-SA-Exim-Mail-From: ben@decadent.org.uk
X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit bb82e0b4a7e96494f0c1004ce50cec3d7b5fb3d1 upstream.

The commit f6f828513290 ("pstore: pass allocated memory region back to
caller") changed the check of the return value from erst_read() in
erst_reader() in the following way:

        if (len == -ENOENT)
                goto skip;
-       else if (len < 0) {
-               rc = -1;
+       else if (len < sizeof(*rcd)) {
+               rc = -EIO;
                goto out;

This introduced another bug: since the comparison with sizeof() is
cast to unsigned, a negative len value doesn't hit any longer.
As a result, when an error is returned from erst_read(), the code
falls through, and it may eventually lead to some weird thing like
memory corruption.

This patch adds the negative error value check more explicitly for
addressing the issue.

Fixes: f6f828513290 (pstore: pass allocated memory region back to caller)
Tested-by: Jerry Tang <jtang@suse.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Acked-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/acpi/apei/erst.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/acpi/apei/erst.c
+++ b/drivers/acpi/apei/erst.c
@@ -1023,7 +1023,7 @@ skip:
 	/* The record may be cleared by others, try read next record */
 	if (len == -ENOENT)
 		goto skip;
-	else if (len < sizeof(*rcd)) {
+	else if (len < 0 || len < sizeof(*rcd)) {
 		rc = -EIO;
 		goto out;
 	}