Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp2119751imm; Wed, 16 May 2018 08:10:34 -0700 (PDT) X-Google-Smtp-Source: AB8JxZoTXBYYI/tCrfuEX8tHKN0qtdOjlA3Aha/9MVjcXKEE/hZ59D1/yiYAB6gPpqQb5rZZJuQp X-Received: by 2002:a17:902:e8:: with SMTP id a95-v6mr1338843pla.274.1526483434893; Wed, 16 May 2018 08:10:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526483434; cv=none; d=google.com; s=arc-20160816; b=wHuczwxjJiepf4VeyfLdLhUGh3nJgDj9OAhE7w/G2f6IPR6phnDdggAX06zzd0643N snjHz/s0RtX/rDG0vE4AuWkNtN4zcghCl6ZhU/siwep6mwkIctUjAXmuqsSTZNdyWQFQ nRtr5fTlzjs7xijBbut6Y/fKrPXzBZrS/ZuoQD2pKw3tGOR6SRuZKX91jgDC1M8zWPb/ ZKOClu+o/KsHoFw3dtz6HRYoj1p2Uym0e5Wl1bgDG6tnhv4VheNFbBB3GnG+dCRxE287 4Nhx+/huf5U7TkSgMfZFWi66kOm2DI9ZvMReUw9OP7ph+N17kkj9lLBbGQXWc2ZSJ9dP 0VqQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:organization:references:cc:to:from:subject:reply-to :arc-authentication-results; bh=hd7ojNOUWQDOxpaDRrwbY5ZmbfL1mRGwM7kW8ogxz7s=; b=rywIFgg8gNGxdVR1xpNNI/YvoG+zf8Hr4yLYtn33C9PnrLpU0FJiC9frGIAHgwmRQ1 uMCNWOBJZb2zBDmHRH6Ou/XLXjjSn2OaZ5GaR4ykXC8AkksBzoXb1MDWkTB3ykXxXD7J 322XeM/py517G/ifzXiHm2iiWIB2jIdbpRo4nB0MXUvElIOccHwxSLf1IMFIfb3ADTKU 1M/IKDLPTiTa6+FB07us0p+w4z3tw7D31fl9ifwndwDdYRfEib3yJVQsDu1qxuERpiQx c87enRQ6qKAwa/7b3AvVSw8TktsSSbA3qgQMcm5o0EFTAqpTbt4I7liCZ8iCVGG+3TmV vayA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w9-v6si2834491plk.28.2018.05.16.08.10.20; Wed, 16 May 2018 08:10:34 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751564AbeEPPJ7 (ORCPT + 99 others); Wed, 16 May 2018 11:09:59 -0400 Received: from mail-it0-f66.google.com ([209.85.214.66]:51054 "EHLO mail-it0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750749AbeEPPJ6 (ORCPT ); Wed, 16 May 2018 11:09:58 -0400 Received: by mail-it0-f66.google.com with SMTP id p3-v6so2760627itc.0 for ; Wed, 16 May 2018 08:09:58 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:reply-to:subject:from:to:cc:references :organization:message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=hd7ojNOUWQDOxpaDRrwbY5ZmbfL1mRGwM7kW8ogxz7s=; b=HCwhNaAGQNmkM+vDj53lDARzdUMr8bLxSkTFARVMTRdS0Va6+nJLlYQNaeycxfqPpS h90j6DiZmgcvBzkj8Wr4QDbG4aPofkGLpZw6gA64XcEkywOd+XFEZEwg+cS8iIWU3f8L UOz34YTv8Y3i0TnkS+nqbC9JNh+ME0GnZ37ms83Ulve1hz3ICnoRptXCgFOG0rVZP79r N/k/MTujIvdzebq6a/5nqa/edWuD00biRDlgpVZTzgVW8ZN8e7BU+2VU6ctcIgSfASIr VaGFoedocit12JoKIOCtepVeF3UuYOi1eGZlNDintS5wgjxw5WwdWis3VXtZtwmQzU83 Q9NQ== X-Gm-Message-State: ALKqPwcsem8ssKGCFZbyXzLqPCasVgE1+3Xv9nsYGGzSUXAp0t5R1FSi /imx1JDKQ8JXlJX5O/CF4HYM7w== X-Received: by 2002:a24:de07:: with SMTP id d7-v6mr1503105itg.93.1526483397588; Wed, 16 May 2018 08:09:57 -0700 (PDT) Received: from fidelio.ahs3 (c-67-165-232-89.hsd1.co.comcast.net. [67.165.232.89]) by smtp.gmail.com with ESMTPSA id e139-v6sm1661328ite.42.2018.05.16.08.09.56 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 16 May 2018 08:09:56 -0700 (PDT) Reply-To: ahs3@redhat.com Subject: Re: [PATCH v3 2/3] ACPI: ensure acpi_parse_entries_array() does not access non-existent table data From: Al Stone To: "Rafael J. Wysocki" Cc: ACPI Devel Maling List , Linux Kernel Mailing List , "Rafael J . Wysocki" , Len Brown References: <20180501003907.4322-1-ahs3@redhat.com> <20180501003907.4322-3-ahs3@redhat.com> <04afae30-7012-ebb9-cd0e-3ec39bfd955c@redhat.com> Organization: Red Hat, Inc. Message-ID: <944148ef-e8aa-72fc-069a-64ca793d1eeb@redhat.com> Date: Wed, 16 May 2018 09:09:55 -0600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 In-Reply-To: <04afae30-7012-ebb9-cd0e-3ec39bfd955c@redhat.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 05/15/2018 03:53 PM, Al Stone wrote: > On 05/15/2018 11:19 AM, Rafael J. Wysocki wrote: >> On Tue, May 1, 2018 at 2:39 AM, Al Stone wrote: >>> For ACPI tables that have subtables, acpi_parse_entries_array() gets used >>> to step through each of the subtables in memory. The primary loop for this >>> was checking that the beginning location of the subtable being examined >>> plus the length of struct acpi_subtable_header was not beyond the end of >>> the complete ACPI table; if it wasn't, the subtable could be examined, but >>> if it was the loop would terminate as it should. >>> >>> In the middle of this subtable loop, a callback is used to examine the >>> subtable in detail. >>> >>> Should the callback function try to examine elements of the subtable that >>> are located past the subtable header, and the ACPI table containing this >>> subtable has an incorrect length, it is possible to access either invalid >>> or protected memory and cause a fault. And, the length of struct >>> acpi_subtable_header will always be smaller than the length of the actual >>> subtable. >>> >>> To fix this, we make the main loop check that the beginning of the >>> subtable being examined plus the actual length of the subtable does >>> not go past the end of the enclosing ACPI table. While this cannot >>> protect us from malicious callback functions, it can prevent us from >>> failing because of some poorly constructed ACPI tables. >>> >>> Found by inspection. There is no functional change to existing code >>> that is known to work when calling acpi_parse_entries_array(). >>> >>> Signed-off-by: Al Stone >>> Cc: Rafael J. Wysocki >>> Cc: Len Brown >>> --- >>> drivers/acpi/tables.c | 3 +-- >>> 1 file changed, 1 insertion(+), 2 deletions(-) >>> >>> diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c >>> index 4a3410aa6540..82c3e2c52dd9 100644 >>> --- a/drivers/acpi/tables.c >>> +++ b/drivers/acpi/tables.c >>> @@ -274,8 +274,7 @@ acpi_parse_entries_array(char *id, unsigned long table_size, >>> entry = (struct acpi_subtable_header *) >>> ((unsigned long)table_header + table_size); >>> >>> - while (((unsigned long)entry) + sizeof(struct acpi_subtable_header) < >>> - table_end) { >>> + while ((unsigned long)entry + entry->length <= table_end) { >>> if (max_entries && count >= max_entries) >>> break; >>> >>> -- >> >> This breaks the CPU enumeration on my Dell XPS13 9360 (possibly among >> other things), so I'm dropping it. I can send you acpidump output >> from that machine if need be. >> >> Thanks, >> Rafael Let's just drop this completely -- but please do send the acpidump. It's going to take me a while to figure why this innocuous little loop does not behave the way I expect it to. I'll send a separate patch, if needed. -- ciao, al ----------------------------------- Al Stone Software Engineer Red Hat, Inc. ahs3@redhat.com -----------------------------------