Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp1025306yba; Thu, 4 Apr 2019 02:42:11 -0700 (PDT) X-Google-Smtp-Source: APXvYqxrRj80DG7ydO74xQHLI4R8+E9HIIdsuUtpX+0bQUTomkByKAMbS8qSZRYIusSzIKkdz4Pu X-Received: by 2002:a17:902:bd41:: with SMTP id b1mr5366608plx.221.1554370931537; Thu, 04 Apr 2019 02:42:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1554370931; cv=none; d=google.com; s=arc-20160816; b=amKjgNtKHKWquYjvNNt3e99mUQCVAGEfqd7qy/7j6HLAcCpMMqhI5U0CcKhfGqvGcU atSEfbURBdxElxs52TRIW4++9EWgbN+YV3EJtr51u1k1NMo9PZ5EJ4KKlcOJW1GOg7QN s065qRkKZwusg7D7Qn+PqFTdKD0lKS49QfZGBE0ceDMYwnLUZLex+BkzCe+Xl3KhA6z5 ITKpKDutACJsgoDshjSmHBhr5OvIXqRgRDEoKNeUxskT7UlPIL+Sihb4VYCGMsy8JhNB WaF2hEuFVScdJCLE/fTiFt635nF8S4+bFvC3KRvcAKe3aFgR+lGWtWf9/jCjIWwRWnZN mMoQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=0d+cnFl6b7r5bcBufKXey5c3p9Hh0/8aaM66458oiHA=; b=WliNmq/1CDf3mufhgD32/eFoHOIuId+LnYKYapysGK2ztyr+ZoDzWAECcdg5+bPRVj UGZ/9jP4sUQRgbxYwfERtd8wCjAyof7hDub2wMUrmE5/gmW7HEN6De9FFyDOfJzDVHrW RW2gbEwoVih9ahUGGATrXTZ+pezHM5l9NiXBRC7C6srIrTG66xvbyZ3Kheb88F5lx4vI ksR+nNcTkBKPDjinf0G2SRtAtv/TohLK6EGC1si7tK8ty7U2mm4+HOi5Lr7iHATV/Cu9 s9QmJjG9X+aeptI2OzXgqJoJsbOuNTEW4l554YhJeURXY0z6GPt24B68iSWUS1iE42SF 64Fg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=kCX0r85d; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h185si15504062pfc.241.2019.04.04.02.41.56; Thu, 04 Apr 2019 02:42:11 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=kCX0r85d; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731859AbfDDJkM (ORCPT + 99 others); Thu, 4 Apr 2019 05:40:12 -0400 Received: from mail.kernel.org ([198.145.29.99]:40578 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731134AbfDDJC7 (ORCPT ); Thu, 4 Apr 2019 05:02:59 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id A32892177E; Thu, 4 Apr 2019 09:02:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1554368579; bh=2MZ483cMb+4bEeqB6KcWkEnGxQDFzhDXWOBz0isIen0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=kCX0r85dMwwyScwnO/B+N818d5Shs4Y65SgfCMJ5O1NuTBaxPD2onJMVKhfcb3RIX MHC7DqqHsiwQ4O0RtI6vziCU2QP/aBxKaJrcqvRJixzxisEwlZdMknOuN2ob7bQPrq RjVe3NxNbr1NPC+ajLeKvmWitqPJ87a99N0XrYjQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ross Lagerwall , Borislav Petkov , Tyler Baicar , "Rafael J. Wysocki" , Sasha Levin Subject: [PATCH 4.19 075/187] efi: cper: Fix possible out-of-bounds access Date: Thu, 4 Apr 2019 10:46:52 +0200 Message-Id: <20190404084606.575600196@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190404084603.119654039@linuxfoundation.org> References: <20190404084603.119654039@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.19-stable review patch. If anyone has any objections, please let me know. ------------------ [ Upstream commit 45b14a4ffcc1e0b5caa246638f942cbe7eaea7ad ] When checking a generic status block, we iterate over all the generic data blocks. The loop condition only checks that the start of the generic data block is valid (within estatus->data_length) but not the whole block. Because the size of data blocks (excluding error data) may vary depending on the revision and the revision is contained within the data block, ensure that enough of the current data block is valid before dereferencing any members otherwise an out-of-bounds access may occur if estatus->data_length is invalid. This relies on the fact that struct acpi_hest_generic_data_v300 is a superset of the earlier version. Also rework the other checks to avoid potential underflow. Signed-off-by: Ross Lagerwall Acked-by: Borislav Petkov Tested-by: Tyler Baicar Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin --- drivers/firmware/efi/cper.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/drivers/firmware/efi/cper.c b/drivers/firmware/efi/cper.c index a7902fccdcfa..6090d25dce85 100644 --- a/drivers/firmware/efi/cper.c +++ b/drivers/firmware/efi/cper.c @@ -546,19 +546,24 @@ EXPORT_SYMBOL_GPL(cper_estatus_check_header); int cper_estatus_check(const struct acpi_hest_generic_status *estatus) { struct acpi_hest_generic_data *gdata; - unsigned int data_len, gedata_len; + unsigned int data_len, record_size; int rc; rc = cper_estatus_check_header(estatus); if (rc) return rc; + data_len = estatus->data_length; apei_estatus_for_each_section(estatus, gdata) { - gedata_len = acpi_hest_get_error_length(gdata); - if (gedata_len > data_len - acpi_hest_get_size(gdata)) + if (sizeof(struct acpi_hest_generic_data) > data_len) + return -EINVAL; + + record_size = acpi_hest_get_record_size(gdata); + if (record_size > data_len) return -EINVAL; - data_len -= acpi_hest_get_record_size(gdata); + + data_len -= record_size; } if (data_len) return -EINVAL; -- 2.19.1