Received: by 10.192.165.148 with SMTP id m20csp4374389imm; Mon, 30 Apr 2018 17:40:15 -0700 (PDT) X-Google-Smtp-Source: AB8JxZpyOz0rXp0q3PLTJlaN0M31a+44bD80/B8HaPXJDqoWstmsDW4rq6MZDMNip7YCt3RmuGhQ X-Received: by 10.98.147.200 with SMTP id r69mr13808995pfk.59.1525135215181; Mon, 30 Apr 2018 17:40:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525135215; cv=none; d=google.com; s=arc-20160816; b=yIw9DxTBXj1A2dxInC7yiLKTLR3jiJvsDSXnlejXrJEI1FJcPpB3ta4qUasqB7nx6M vHrbAESQnwukZLjzpsbWvisE9Il207LGBKY6TEIq4MAUrGHIMQYK7DvthqLHhbErYUAl YN2SMKr3/IoupJ/2gUJrCbIwW2OigrCNOuWQONYXtWC0k2pnHKXhjpZsQCfpTvSmrYJV MSgrzVhp7uVBGbgc3sSwJ9o7ty03Ee1th9VQwu7mqbFP4K7vVheSB9wHMwQ8Wkg4Tayi aGGqzcm6h531ft/gvonzkToycJTbzFg8S80vZqNIefFI2lCUN5gc9BRq55ezF8rC3VYg c83w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=/cDwHs35i0yJTFl2dP7Aijxu9eJk9WpW9CMDO20/qEE=; b=PoWhOWiJOgngEj5P6W6+latPEotNbPQXcS0dNUgWh441AVhlrH7KdDlrAuevLhFTd+ JtFK33VHIlIujXUZ0Q2+E3gc4i4nrNuUR7+vYXuhouSgkjRAReWKj7iBCVklBrGfengU xSVcVgUK8ebs/ziMJpdWwRPkapdhm5/pILQczqLDulk2H1T6tOTtyWK0pzRJKwHt46bG jXuerxlcKZeHLdyxPp9JBIiUNm6QGJ95Pu7PQFQbjOLhNRsCHFxYfdukQ0zcoMY2NyI6 e/lU7nwkwfAUsyxow52PmIQRk6VmxrCZ2YvYv9jTydMUt0Mo/QDrHBWeGjOH0hZj0fXB GMDQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e29-v6si8324490plj.518.2018.04.30.17.40.01; Mon, 30 Apr 2018 17:40:15 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755932AbeEAAjh (ORCPT + 99 others); Mon, 30 Apr 2018 20:39:37 -0400 Received: from mx1.redhat.com ([209.132.183.28]:49488 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755817AbeEAAjR (ORCPT ); Mon, 30 Apr 2018 20:39:17 -0400 Received: from smtp.corp.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 66B2C3188CC9; Tue, 1 May 2018 00:39:17 +0000 (UTC) Received: from fidelio.ahs3.com (ovpn-116-78.phx2.redhat.com [10.3.116.78]) by smtp.corp.redhat.com (Postfix) with ESMTP id D601B313DD05; Tue, 1 May 2018 00:39:16 +0000 (UTC) From: Al Stone To: linux-acpi@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Al Stone , "Rafael J . Wysocki" , Len Brown Subject: [PATCH v3 2/3] ACPI: ensure acpi_parse_entries_array() does not access non-existent table data Date: Mon, 30 Apr 2018 18:39:06 -0600 Message-Id: <20180501003907.4322-3-ahs3@redhat.com> In-Reply-To: <20180501003907.4322-1-ahs3@redhat.com> References: <20180501003907.4322-1-ahs3@redhat.com> X-Scanned-By: MIMEDefang 2.84 on 10.5.11.26 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.41]); Tue, 01 May 2018 00:39:17 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org For ACPI tables that have subtables, acpi_parse_entries_array() gets used to step through each of the subtables in memory. The primary loop for this was checking that the beginning location of the subtable being examined plus the length of struct acpi_subtable_header was not beyond the end of the complete ACPI table; if it wasn't, the subtable could be examined, but if it was the loop would terminate as it should. In the middle of this subtable loop, a callback is used to examine the subtable in detail. Should the callback function try to examine elements of the subtable that are located past the subtable header, and the ACPI table containing this subtable has an incorrect length, it is possible to access either invalid or protected memory and cause a fault. And, the length of struct acpi_subtable_header will always be smaller than the length of the actual subtable. To fix this, we make the main loop check that the beginning of the subtable being examined plus the actual length of the subtable does not go past the end of the enclosing ACPI table. While this cannot protect us from malicious callback functions, it can prevent us from failing because of some poorly constructed ACPI tables. Found by inspection. There is no functional change to existing code that is known to work when calling acpi_parse_entries_array(). Signed-off-by: Al Stone Cc: Rafael J. Wysocki Cc: Len Brown --- drivers/acpi/tables.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c index 4a3410aa6540..82c3e2c52dd9 100644 --- a/drivers/acpi/tables.c +++ b/drivers/acpi/tables.c @@ -274,8 +274,7 @@ acpi_parse_entries_array(char *id, unsigned long table_size, entry = (struct acpi_subtable_header *) ((unsigned long)table_header + table_size); - while (((unsigned long)entry) + sizeof(struct acpi_subtable_header) < - table_end) { + while ((unsigned long)entry + entry->length <= table_end) { if (max_entries && count >= max_entries) break; -- 2.14.3