LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Al Stone <ahs3@redhat.com>
To: linux-acpi@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: Al Stone <ahs3@redhat.com>,
	"Rafael J . Wysocki" <rjw@rjwysocki.net>,
	Len Brown <lenb@kernel.org>
Subject: [PATCH v3 2/3] ACPI: ensure acpi_parse_entries_array() does not access non-existent table data
Date: Mon, 30 Apr 2018 18:39:06 -0600	[thread overview]
Message-ID: <20180501003907.4322-3-ahs3@redhat.com> (raw)
In-Reply-To: <20180501003907.4322-1-ahs3@redhat.com>

For ACPI tables that have subtables, acpi_parse_entries_array() gets used
to step through each of the subtables in memory.  The primary loop for this
was checking that the beginning location of the subtable being examined
plus the length of struct acpi_subtable_header was not beyond the end of
the complete ACPI table; if it wasn't, the subtable could be examined, but
if it was the loop would terminate as it should.

In the middle of this subtable loop, a callback is used to examine the
subtable in detail.

Should the callback function try to examine elements of the subtable that
are located past the subtable header, and the ACPI table containing this
subtable has an incorrect length, it is possible to access either invalid
or protected memory and cause a fault.  And, the length of struct
acpi_subtable_header will always be smaller than the length of the actual
subtable.

To fix this, we make the main loop check that the beginning of the
subtable being examined plus the actual length of the subtable does
not go past the end of the enclosing ACPI table.  While this cannot
protect us from malicious callback functions, it can prevent us from
failing because of some poorly constructed ACPI tables.

Found by inspection.  There is no functional change to existing code
that is known to work when calling acpi_parse_entries_array().

Signed-off-by: Al Stone <ahs3@redhat.com>
Cc: Rafael J. Wysocki <rjw@rjwysocki.net>
Cc: Len Brown <lenb@kernel.org>
---
 drivers/acpi/tables.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c
index 4a3410aa6540..82c3e2c52dd9 100644
--- a/drivers/acpi/tables.c
+++ b/drivers/acpi/tables.c
@@ -274,8 +274,7 @@ acpi_parse_entries_array(char *id, unsigned long table_size,
 	entry = (struct acpi_subtable_header *)
 	    ((unsigned long)table_header + table_size);
 
-	while (((unsigned long)entry) + sizeof(struct acpi_subtable_header) <
-	       table_end) {
+	while ((unsigned long)entry + entry->length <= table_end) {
 		if (max_entries && count >= max_entries)
 			break;
 
-- 
2.14.3

  parent reply	other threads:[~2018-05-01  0:39 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-05-01  0:39 [PATCH v3 0/3] mailbox: ACPI: Remove incorrect error message about parsing PCCT Al Stone
2018-05-01  0:39 ` [PATCH v3 1/3] ACPI: improve function documentation for acpi_parse_entries_array() Al Stone
2018-05-01  0:39 ` Al Stone [this message]
2018-05-15 17:19   ` [PATCH v3 2/3] ACPI: ensure acpi_parse_entries_array() does not access non-existent table data Rafael J. Wysocki
2018-05-15 21:53     ` Al Stone
2018-05-16 15:09       ` Al Stone
2018-05-01  0:39 ` [PATCH v3 3/3] mailbox: ACPI: erroneous error message when parsing the ACPI PCCT Al Stone
2018-05-12 11:49   ` Rafael J. Wysocki
2018-05-14 21:04   ` Prakash, Prashanth
2018-05-14 22:49     ` Al Stone
2018-05-15  8:00       ` Rafael J. Wysocki
2018-05-16 22:01         ` [PATCH v4 3/3] mailbox: ACPI: erroneous error message when parsing the ACPI, PCCT Al Stone
2018-05-17 10:24           ` Rafael J. Wysocki
2018-05-17 19:48             ` Prakash, Prashanth
2018-05-23 11:34               ` Rafael J. Wysocki
2018-05-16 22:03         ` [PATCH v3 3/3] mailbox: ACPI: erroneous error message when parsing the ACPI PCCT Al Stone
2018-05-13  8:30 ` [PATCH v3 0/3] mailbox: ACPI: Remove incorrect error message about parsing PCCT Rafael J. Wysocki

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180501003907.4322-3-ahs3@redhat.com \
    --to=ahs3@redhat.com \
    --cc=lenb@kernel.org \
    --cc=linux-acpi@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=rjw@rjwysocki.net \
    --subject='Re: [PATCH v3 2/3] ACPI: ensure acpi_parse_entries_array() does not access non-existent table data' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).