Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3287143imu; Mon, 28 Jan 2019 02:05:04 -0800 (PST) X-Google-Smtp-Source: ALg8bN6mK1V5Tp6hQqNKPqpBPwIs1pSEzf7TLOrt2aC1nIDN/0OEoUi799jMmRkZGXcXEo5eNxn3 X-Received: by 2002:a17:902:4681:: with SMTP id p1mr21704377pld.184.1548669904346; Mon, 28 Jan 2019 02:05:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1548669904; cv=none; d=google.com; s=arc-20160816; b=Hl1oSiW+yG0WgbfFG+Yqs/2iRizgDsKuxuh7y7PrDVePrNCZ5/1Nai4NUTnqMUQfhM QlVKkv0Gu3TidgnUOs6Kkedv3OOQCYVniopZEE3MqhS8Y0TVJiO3XdiVf2P6nzTQMFKT ZLGE4jnlLJydyWLSVx7ABkRSkur9CVz8shhRGQfzMG9+ksrpJw7O6TnSRDa3EvLd/iZC poWvfGixnZbOmZk1qzqL5DsYIvSlJlRx1ovULckjCQL5HHWcKtSXVx9XGGN6ApUX9hGW zOSjOIDKpRVFQXDIMWLkKGe11zKJ0O7oKlMT1vs+ENpQoEaPyDx+BojSON1anj+fhhUT d/ow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from; bh=ThS57Y5SD9sV8dPCPY74bmPYPeU9AHjT8/nWGZJd7gM=; b=pmeyhLD2cDeyd6sMECAK7/QrhbJ/uHS23hDaN0ULGgPfoUPoMkIth0uqn2S/R/ZwN6 /QMYAtWkRWr3VetWYnYfMxXaRHhkpzh8leDr16JPqlhB+sDRnDR/poiU1EVGq3UCwRfx b7xMEefy/WGtkkfy02XDYwlQ5CVfZhAHrKa8DjOlpRBOZ/ND7dnNd87RbGXGMzEuTbee DgsnKxoTRx7nb2+lTcGc791+7nLwcy2Zj9tsvx5tSoleZFBaMz+Nk7cRW6xqqNtCf9ZY rSSpbQWdtFYUV6DwQVFWng+DMJ4rLdlgCVNnYMghuVC8/xIvdORs1XWlgLbYBNI8Fl9D 2QbA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 64si33359045ply.372.2019.01.28.02.04.49; Mon, 28 Jan 2019 02:05:04 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726805AbfA1KEi (ORCPT + 99 others); Mon, 28 Jan 2019 05:04:38 -0500 Received: from smtp03.citrix.com ([162.221.156.55]:28666 "EHLO SMTP03.CITRIX.COM" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726719AbfA1KEf (ORCPT ); Mon, 28 Jan 2019 05:04:35 -0500 X-IronPort-AV: E=Sophos;i="5.56,533,1539648000"; d="scan'208";a="76590249" From: Ross Lagerwall To: CC: , , "Rafael J . Wysocki" , Len Brown , Tony Luck , Borislav Petkov , Huang Ying , Ross Lagerwall Subject: [PATCH v2 1/2] acpi/apei: Fix possible out-of-bounds access to BERT region Date: Mon, 28 Jan 2019 10:04:23 +0000 Message-ID: <20190128100424.30278-2-ross.lagerwall@citrix.com> X-Mailer: git-send-email 2.17.2 In-Reply-To: <20190128100424.30278-1-ross.lagerwall@citrix.com> References: <20190128100424.30278-1-ross.lagerwall@citrix.com> MIME-Version: 1.0 Content-Type: text/plain Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Check that the length recorded in the generic error status block is within the region before checking the contents of the region itself. Otherwise it may result in an out-of-bounds access if the system firmware has generated a status block with an invalid length (larger than the mapped region). Also move the block_status check so that it only happens after the block has been verified to be within the mapped region. Signed-off-by: Ross Lagerwall --- drivers/acpi/apei/bert.c | 23 ++++++++++------------- 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/drivers/acpi/apei/bert.c b/drivers/acpi/apei/bert.c index 12771fcf0417..0d948d0a41af 100644 --- a/drivers/acpi/apei/bert.c +++ b/drivers/acpi/apei/bert.c @@ -42,15 +42,7 @@ static void __init bert_print_all(struct acpi_bert_region *region, int remain = region_len; u32 estatus_len; - if (!estatus->block_status) - return; - - while (remain > sizeof(struct acpi_bert_region)) { - if (cper_estatus_check(estatus)) { - pr_err(FW_BUG "Invalid error record.\n"); - return; - } - + while (remain >= sizeof(struct acpi_bert_region)) { estatus_len = cper_estatus_len(estatus); if (remain < estatus_len) { pr_err(FW_BUG "Truncated status block (length: %u).\n", @@ -58,6 +50,15 @@ static void __init bert_print_all(struct acpi_bert_region *region, return; } + /* No more error records. */ + if (!estatus->block_status) + return; + + if (cper_estatus_check(estatus)) { + pr_err(FW_BUG "Invalid error record.\n"); + return; + } + pr_info_once("Error records from previous boot:\n"); cper_estatus_print(KERN_INFO HW_ERR, estatus); @@ -70,10 +71,6 @@ static void __init bert_print_all(struct acpi_bert_region *region, estatus->block_status = 0; estatus = (void *)estatus + estatus_len; - /* No more error records. */ - if (!estatus->block_status) - return; - remain -= estatus_len; } } -- 2.17.2