Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp7579795imu; Tue, 22 Jan 2019 08:11:42 -0800 (PST) X-Google-Smtp-Source: ALg8bN4QA1J2vME23GeTKoE5YjZqpZklBVOeNfYxJF+C4ddiZr9nFp6GL+x+laTQhkH2h71KxnQx X-Received: by 2002:a63:ea15:: with SMTP id c21mr30921194pgi.361.1548173502369; Tue, 22 Jan 2019 08:11:42 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1548173502; cv=none; d=google.com; s=arc-20160816; b=LJSPO1x3uzV2bH1lj/NjUak1ue/hii0SxeWTmlIa80FiFEVi4jzN69TRq8Y3qDiMxh JW6yw8Jc+9FO2ID2FtU4xm0gKHQVBGlvVc1lgoxPw/ZOEyzmBxdVXg1dLRAAkL4NMVN5 0upRBQpQ4UvyJxFi81WFPyS2xfrTTmH0J7SA2P3EYqGYrTioQUt74+rrPKLr5nEm0aVX w1dnDuA8sIX0eKa9yRYRLQFKHgEgGaJg1u9nq+M1bItH7MEbDETSVbEo1YAocfB33P/2 5uZIKTqugCc1o1prJDtHu8PZB6bzE3O/hTMI8a+3Cv/3ZUWqr75dXz8MJDOo7zzUn6da MwsQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from; bh=m9nnpWh+nHfegf8VhkEVlrPETB6sC98Hi+hF1u2taDE=; b=ut6pt4/TZXQUqhpj75zOuVlGfgZdU/Fj6t62m6sJAem/2K/CXz3K0e28TGq7Jj23wo vhfyHRhhIZJcXd2eeq1+WolTzyk0p1WqsSC/MIiznw7iFv6ZKjqAMHoyitfyYCnZJNf1 ZxqoYJGsCJyHtfgXgGNzPbDlwM97wjM/tE65b4aDUUP+QrKtbN6ImiZgBYlKZ8FrNB8U FSjwdX/Ufc0Y2QZHcHU/sQ+zVFHO3Gtzg/yI3Fc41JPbppMMlus1tbp/x3aircxDtGWM VJydjjK/8CvNGlOwKELkqFnSdAYCD4chXGajsiQoTeqopDRYsbYlyyhmhk+u05JUpe7O dLdQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x61si16513559plb.303.2019.01.22.08.11.25; Tue, 22 Jan 2019 08:11:42 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729410AbfAVQJj (ORCPT + 99 others); Tue, 22 Jan 2019 11:09:39 -0500 Received: from smtp03.citrix.com ([162.221.156.55]:62981 "EHLO SMTP03.CITRIX.COM" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729394AbfAVQJh (ORCPT ); Tue, 22 Jan 2019 11:09:37 -0500 X-IronPort-AV: E=Sophos;i="5.56,507,1539648000"; d="scan'208";a="76149987" From: Ross Lagerwall To: CC: , , "Rafael J. Wysocki" , Len Brown , Tony Luck , Borislav Petkov , Huang Ying , Ross Lagerwall Subject: [PATCH 1/2] acpi/apei: Avoid possible OOB when accessing BERT region Date: Tue, 22 Jan 2019 16:09:11 +0000 Message-ID: <20190122160912.27312-2-ross.lagerwall@citrix.com> X-Mailer: git-send-email 2.17.2 In-Reply-To: <20190122160912.27312-1-ross.lagerwall@citrix.com> References: <20190122160912.27312-1-ross.lagerwall@citrix.com> MIME-Version: 1.0 Content-Type: text/plain Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Check that the length recorded in the generic error status block is within the region before checking the contents of the region itself. Otherwise it may result in an OOB access if the system firmware has generated a status block with an invalid length (larger than the mapped region). Also move the block_status check so that it only happens after the block has been verified to be within the mapped region. Signed-off-by: Ross Lagerwall --- drivers/acpi/apei/bert.c | 23 ++++++++++------------- 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/drivers/acpi/apei/bert.c b/drivers/acpi/apei/bert.c index 12771fcf0417..0d948d0a41af 100644 --- a/drivers/acpi/apei/bert.c +++ b/drivers/acpi/apei/bert.c @@ -42,15 +42,7 @@ static void __init bert_print_all(struct acpi_bert_region *region, int remain = region_len; u32 estatus_len; - if (!estatus->block_status) - return; - - while (remain > sizeof(struct acpi_bert_region)) { - if (cper_estatus_check(estatus)) { - pr_err(FW_BUG "Invalid error record.\n"); - return; - } - + while (remain >= sizeof(struct acpi_bert_region)) { estatus_len = cper_estatus_len(estatus); if (remain < estatus_len) { pr_err(FW_BUG "Truncated status block (length: %u).\n", @@ -58,6 +50,15 @@ static void __init bert_print_all(struct acpi_bert_region *region, return; } + /* No more error records. */ + if (!estatus->block_status) + return; + + if (cper_estatus_check(estatus)) { + pr_err(FW_BUG "Invalid error record.\n"); + return; + } + pr_info_once("Error records from previous boot:\n"); cper_estatus_print(KERN_INFO HW_ERR, estatus); @@ -70,10 +71,6 @@ static void __init bert_print_all(struct acpi_bert_region *region, estatus->block_status = 0; estatus = (void *)estatus + estatus_len; - /* No more error records. */ - if (!estatus->block_status) - return; - remain -= estatus_len; } } -- 2.17.2