Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3286972imu; Mon, 28 Jan 2019 02:04:52 -0800 (PST) X-Google-Smtp-Source: ALg8bN7uMQqrf7NCH8p6O9FgOMsBlIgpeqWo1P0myfzgrKUpnNc280xC+TmvDVb8gSzkBUra3MUz X-Received: by 2002:a63:1204:: with SMTP id h4mr19277245pgl.51.1548669892343; Mon, 28 Jan 2019 02:04:52 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1548669892; cv=none; d=google.com; s=arc-20160816; b=bOS1Vxf/c63zUEC/CR7sVZbT7Uvc59En4PXLYIVvISeTcYl4iKLqYGCk+53QnAPVP0 qLCUfGp2G7dXtSXXMTFuLTxyYEc3VZDjd7C+5QEYAWqEkYE8w2Jlqlc15NoDM6s3EOjl z2k6mvAGkQPE4T6U64M8L/dngH60jkiGRhSCTXqACEM7GGiYWffgUAUamn3nFvk/d2Xq enhbWXNGxAXHEAtPmBpBZojRSiwHy2jasJ5lsEByUZkqJ+RM0sv5yl4IyGxXM1Fr6kjg hn0E6tg0iZmePRdTY95Qx0KyscvnsZbqgjXWjXSkZYfjk7kW1M0tDP6fFMyrfyuBcIxS JfNQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from; bh=LV4YVuN3Z8uNHVJZJJ+GId3OZFIWf7ig7SDbYiAjfWU=; b=x3819cT3NSShIOgTnFkiUTvlF4jkS1orRxd74fcD8Jfgnmeb65JdyuKA8kf8EQeeP1 4JiApt5d9683cYqzcMNyKFHCZ1KYQCViGKmBm9cLjk6HLInE2dN0mtYpyNc4RdxNbqZO hWy6olJpixPL5zCvOBHqif7xmb3RAF7lwmkYEWV//CJ4/d9Motu0cbdZsw2bp5ql3gq6 VSGvITr7eYX+icSWQ67UNUSLePFVWHtkXfYSdK5QD00GnLgRG+Q7B55QZgorVYa7DwPe OqLxrR427ZjSxrdxIDs5nI4jlKEHOuwTkH1mQsgAP5qSeHJo4s+7Dl4MUGgeG2Ta9PAy Ab5g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g10si10512123plq.371.2019.01.28.02.04.35; Mon, 28 Jan 2019 02:04:52 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726672AbfA1KEb (ORCPT + 99 others); Mon, 28 Jan 2019 05:04:31 -0500 Received: from smtp03.citrix.com ([162.221.156.55]:28658 "EHLO SMTP03.CITRIX.COM" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726369AbfA1KEa (ORCPT ); Mon, 28 Jan 2019 05:04:30 -0500 X-IronPort-AV: E=Sophos;i="5.56,533,1539648000"; d="scan'208";a="76590243" From: Ross Lagerwall To: CC: , , "Rafael J . Wysocki" , Len Brown , Tony Luck , Borislav Petkov , Huang Ying , Ross Lagerwall Subject: [PATCH v2 2/2] efi/cper: Fix possible out-of-bounds access Date: Mon, 28 Jan 2019 10:04:24 +0000 Message-ID: <20190128100424.30278-3-ross.lagerwall@citrix.com> X-Mailer: git-send-email 2.17.2 In-Reply-To: <20190128100424.30278-1-ross.lagerwall@citrix.com> References: <20190128100424.30278-1-ross.lagerwall@citrix.com> MIME-Version: 1.0 Content-Type: text/plain Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org When checking a generic status block, we iterate over all the generic data blocks. The loop condition only checks that the start of the generic data block is valid (within estatus->data_length) but not the whole block. Because the size of data blocks (excluding error data) may vary depending on the revision and the revision is contained within the data block, ensure that enough of the current data block is valid before dereferencing any members otherwise an out-of-bounds access may occur if estatus->data_length is invalid. This relies on the fact that struct acpi_hest_generic_data_v300 is a superset of the earlier version. Also rework the other checks to avoid potential underflow. Signed-off-by: Ross Lagerwall --- drivers/firmware/efi/cper.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/drivers/firmware/efi/cper.c b/drivers/firmware/efi/cper.c index a7902fccdcfa..6090d25dce85 100644 --- a/drivers/firmware/efi/cper.c +++ b/drivers/firmware/efi/cper.c @@ -546,19 +546,24 @@ EXPORT_SYMBOL_GPL(cper_estatus_check_header); int cper_estatus_check(const struct acpi_hest_generic_status *estatus) { struct acpi_hest_generic_data *gdata; - unsigned int data_len, gedata_len; + unsigned int data_len, record_size; int rc; rc = cper_estatus_check_header(estatus); if (rc) return rc; + data_len = estatus->data_length; apei_estatus_for_each_section(estatus, gdata) { - gedata_len = acpi_hest_get_error_length(gdata); - if (gedata_len > data_len - acpi_hest_get_size(gdata)) + if (sizeof(struct acpi_hest_generic_data) > data_len) + return -EINVAL; + + record_size = acpi_hest_get_record_size(gdata); + if (record_size > data_len) return -EINVAL; - data_len -= acpi_hest_get_record_size(gdata); + + data_len -= record_size; } if (data_len) return -EINVAL; -- 2.17.2