Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp1005861yba; Thu, 4 Apr 2019 02:14:39 -0700 (PDT) X-Google-Smtp-Source: APXvYqytQ2xjMbeMOmI+4rR5uIdmCOEyY2R6HNVEKokMi97+y8ibqRj8HdwcsDDwNc41iSt6XT// X-Received: by 2002:a63:79c3:: with SMTP id u186mr4640918pgc.20.1554369279180; Thu, 04 Apr 2019 02:14:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1554369279; cv=none; d=google.com; s=arc-20160816; b=C6EbTaVZVgYCvDJK50P5bNZHbIG80MME29oW0Rnot4S0A613e4HFJRdM25OBR/6hAH iwoWUR5G4NE9vN1d/8nBZOy8bSbaRLtHau31l27zKa6Mtoug2SlDzMnDPTgSExymevpw laRaOOr9yKHWN629tzD1keNuwb4aoMxsU3eMG8dPx8qv2woGPgFOWz+4SjDwB+FpWZTx dbcxXFp1z7NLQT4G5uaTuL2AbSG6trSsPn1NWCtFKj+g8l4yrLTzOmHV4GxX+7YA4oot jnFPOx7RrVBmpDFj4XBmbpHP/Cbb1UClJGILw/qBK6tTZOi1ibq2FyzfPFDuvdvTdY5+ rRyg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=hmT7calANYAb2Bk2q4re9NEoA+L/KHbLSrTSYIeTeTA=; b=TFAUEchKeZEoYeqaH0bPCs2KIFmtDX6MzapJNayu0NkvUkmwE2RttjZ/FrgTnzJJCt JIRT0xzhTbDHyy4VGp37kCiIkPHJDIZ4bh/ewJRCYPaz/vzTEb18yvMVWfBqxJhPEjyJ wcxZor64p1JnqCLRAkYzm3BTUqGY7zQZg9y6tbFTU2+JTKGMuXCoy8rv+Xv4JeFbbWKQ RfLKi6fKIYY4Lv4hbMksbrE3lQM7jRLChSZV5S1WaOE/WkiNY+YklRhxhFzAU6VvWSof BLBhV9NZRFuGW7Idhgb/g2ZGRz0sXQZKfxg3zeWlgDQ+7bHPGtihaFU0ZiOHqOXqGDXR TE0w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=EAiJ5RRW; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 73si16155554pld.156.2019.04.04.02.14.24; Thu, 04 Apr 2019 02:14:39 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=EAiJ5RRW; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387422AbfDDJMf (ORCPT + 99 others); Thu, 4 Apr 2019 05:12:35 -0400 Received: from mail.kernel.org ([198.145.29.99]:52610 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387414AbfDDJMc (ORCPT ); Thu, 4 Apr 2019 05:12:32 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 9A0F82054F; Thu, 4 Apr 2019 09:12:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1554369152; bh=OM+XS2an9UAEaPoTZbPTtTV5/9kG6w8fwJYo2wfoXEY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=EAiJ5RRWWfC0ccs93Z0vXuxVLUAvY9vliFMoJdPaC6fWVZg+MKS9PoZsL8SJa8Y44 lYKjBP4FySJ0LrDFUD752hTXIOKxn8Hz/T0WLBso5cZGRL/s2I/EihUk6amyZWENWq LKRzv9QrSGIbl7Mf83AhVDPST6xDmwFDWGmUm6I0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ross Lagerwall , Borislav Petkov , Tyler Baicar , "Rafael J. Wysocki" , Sasha Levin Subject: [PATCH 5.0 103/246] efi: cper: Fix possible out-of-bounds access Date: Thu, 4 Apr 2019 10:46:43 +0200 Message-Id: <20190404084622.751720965@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190404084619.236418459@linuxfoundation.org> References: <20190404084619.236418459@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 5.0-stable review patch. If anyone has any objections, please let me know. ------------------ [ Upstream commit 45b14a4ffcc1e0b5caa246638f942cbe7eaea7ad ] When checking a generic status block, we iterate over all the generic data blocks. The loop condition only checks that the start of the generic data block is valid (within estatus->data_length) but not the whole block. Because the size of data blocks (excluding error data) may vary depending on the revision and the revision is contained within the data block, ensure that enough of the current data block is valid before dereferencing any members otherwise an out-of-bounds access may occur if estatus->data_length is invalid. This relies on the fact that struct acpi_hest_generic_data_v300 is a superset of the earlier version. Also rework the other checks to avoid potential underflow. Signed-off-by: Ross Lagerwall Acked-by: Borislav Petkov Tested-by: Tyler Baicar Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin --- drivers/firmware/efi/cper.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/drivers/firmware/efi/cper.c b/drivers/firmware/efi/cper.c index a7902fccdcfa..6090d25dce85 100644 --- a/drivers/firmware/efi/cper.c +++ b/drivers/firmware/efi/cper.c @@ -546,19 +546,24 @@ EXPORT_SYMBOL_GPL(cper_estatus_check_header); int cper_estatus_check(const struct acpi_hest_generic_status *estatus) { struct acpi_hest_generic_data *gdata; - unsigned int data_len, gedata_len; + unsigned int data_len, record_size; int rc; rc = cper_estatus_check_header(estatus); if (rc) return rc; + data_len = estatus->data_length; apei_estatus_for_each_section(estatus, gdata) { - gedata_len = acpi_hest_get_error_length(gdata); - if (gedata_len > data_len - acpi_hest_get_size(gdata)) + if (sizeof(struct acpi_hest_generic_data) > data_len) + return -EINVAL; + + record_size = acpi_hest_get_record_size(gdata); + if (record_size > data_len) return -EINVAL; - data_len -= acpi_hest_get_record_size(gdata); + + data_len -= record_size; } if (data_len) return -EINVAL; -- 2.19.1