Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp992985yba; Thu, 4 Apr 2019 01:58:24 -0700 (PDT) X-Google-Smtp-Source: APXvYqwLScguDHlmAsfFbdUWMpxzqWSooNj6ZYQb0BTsazSo6z/HPyf+yTWn1OJ1Lfzs+utzp/g3 X-Received: by 2002:a63:1918:: with SMTP id z24mr4433795pgl.406.1554368304346; Thu, 04 Apr 2019 01:58:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1554368304; cv=none; d=google.com; s=arc-20160816; b=Z8o1aDmdk7HHAE5iQU6YRyJ6xpHpWX901fxo37XOJvC0ycUeienxSsTZe5cACk7OX6 hgqOyVXdD06uN3ICMyVjiwQP1EKpBfQdWiflTxuCe52wWO3+usEmQtml4a/04wPMyQ58 hJO/FwZtV0OmJye141wJcXFMnmrzTysQjvMUD51qg0BwD3BZFAJjWJWI++0qoIXrxPYZ JgrKc+1Cnr6WLxfExTTFmbwexG611t56VoLa4gCwdIUlVGvWioe0XK6Brn3o3835qHKj a7leKGkDEkszP8h3F/V183FgnOQIP+TS7Hq4Jr0m6lC/0ym7FmM+59NTBNpylvu8Xrz1 XeEA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=2M2C21MCkztOuh+V/FKgcxy50R06IKah9FcmWLW3ab8=; b=J6WMbwZ4xyqjSxdV+6VLLW3c0JbUhU4efIj8KCCBiQV+sGs9pScmM63UYyTU6E8poC yRL7Mxqp5nw9JBXKBC9sX8bjruxitxduqYfUmZhGxAnpuBLTY/5c4b3umz4DColon7Md yJ/mXSehB04tjrINOSxwwscxjGu0h0fMNXhRnIvFCLT2hvr+QBlkKKU0zKhB/R6lsNm9 /NAVt0+qY935eterUuy5GTBY3SGp+6/dqQp3B6z3YGdZZTtodh0ZW5IXEDm/X+XBs8DZ BVRzpLYtcBX7uYvChmR9npS39j3ZbHNHLxaZ4b1t8aRiU9gpmMT7birjng3HMx3gcxVB smKQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Khtw+K+h; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a13si16115316pgh.139.2019.04.04.01.58.09; Thu, 04 Apr 2019 01:58:24 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Khtw+K+h; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730355AbfDDIzv (ORCPT + 99 others); Thu, 4 Apr 2019 04:55:51 -0400 Received: from mail.kernel.org ([198.145.29.99]:58826 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729636AbfDDIzs (ORCPT ); Thu, 4 Apr 2019 04:55:48 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 948C620652; Thu, 4 Apr 2019 08:55:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1554368147; bh=v8WzARKgtdZFbrz58kOY1r7mlH5VsEA2lgLBGyA6iZQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Khtw+K+hEUDrBG8LNkDPHu0uegWwyM+o1RxUjaT9R8oQfYuu5tGybGFgAfiouwT67 rSuCg2nzrIKb9DAySw/D9YmBmghFL9dNkwbCg0f+9ZkeKsUtULWAL8mGQIQfb19YlP 1SpTYu7BHUg+UUO/ZweO0WBl/dVzVyq3vXNFKFiA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ross Lagerwall , Borislav Petkov , Tyler Baicar , "Rafael J. Wysocki" , Sasha Levin Subject: [PATCH 4.14 054/121] efi: cper: Fix possible out-of-bounds access Date: Thu, 4 Apr 2019 10:47:22 +0200 Message-Id: <20190404084548.198735557@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190404084545.245659903@linuxfoundation.org> References: <20190404084545.245659903@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ [ Upstream commit 45b14a4ffcc1e0b5caa246638f942cbe7eaea7ad ] When checking a generic status block, we iterate over all the generic data blocks. The loop condition only checks that the start of the generic data block is valid (within estatus->data_length) but not the whole block. Because the size of data blocks (excluding error data) may vary depending on the revision and the revision is contained within the data block, ensure that enough of the current data block is valid before dereferencing any members otherwise an out-of-bounds access may occur if estatus->data_length is invalid. This relies on the fact that struct acpi_hest_generic_data_v300 is a superset of the earlier version. Also rework the other checks to avoid potential underflow. Signed-off-by: Ross Lagerwall Acked-by: Borislav Petkov Tested-by: Tyler Baicar Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin --- drivers/firmware/efi/cper.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/drivers/firmware/efi/cper.c b/drivers/firmware/efi/cper.c index d2fcafcea07e..ce23d5402bd6 100644 --- a/drivers/firmware/efi/cper.c +++ b/drivers/firmware/efi/cper.c @@ -641,19 +641,24 @@ EXPORT_SYMBOL_GPL(cper_estatus_check_header); int cper_estatus_check(const struct acpi_hest_generic_status *estatus) { struct acpi_hest_generic_data *gdata; - unsigned int data_len, gedata_len; + unsigned int data_len, record_size; int rc; rc = cper_estatus_check_header(estatus); if (rc) return rc; + data_len = estatus->data_length; apei_estatus_for_each_section(estatus, gdata) { - gedata_len = acpi_hest_get_error_length(gdata); - if (gedata_len > data_len - acpi_hest_get_size(gdata)) + if (sizeof(struct acpi_hest_generic_data) > data_len) + return -EINVAL; + + record_size = acpi_hest_get_record_size(gdata); + if (record_size > data_len) return -EINVAL; - data_len -= acpi_hest_get_record_size(gdata); + + data_len -= record_size; } if (data_len) return -EINVAL; -- 2.19.1