Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys/dev/acpi Reject overly large widths, from mlelstv.



details:   https://anonhg.NetBSD.org/src/rev/2417971e9667
branches:  trunk
changeset: 971043:2417971e9667
user:      riastradh <riastradh%NetBSD.org@localhost>
date:      Sun Apr 12 01:12:03 2020 +0000

description:
Reject overly large widths, from mlelstv.

We are returning an ACPI_INTEGER (= uint64_t), so it doesn't make
sense to handle more than 64 bits.

Apparently there are some ACPIs out there that ask for unreasonably
large widths here.  Just reject those requests, rather than writing
past the caller's stack buffer.

Previously we attempted to fix this by copying byte by byte as large
as the caller asked, in order to avoid the undefined behaviour of
shifting past the size of ACPI_INTEGER, but that just turned a shift
(which might have been harmless on real machines) into a stack buffer
overflow (!).

ok msaitoh

diffstat:

 sys/dev/acpi/acpi_ec.c |  8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

diffs (29 lines):

diff -r 00428409d269 -r 2417971e9667 sys/dev/acpi/acpi_ec.c
--- a/sys/dev/acpi/acpi_ec.c    Sun Apr 12 01:11:56 2020 +0000
+++ b/sys/dev/acpi/acpi_ec.c    Sun Apr 12 01:12:03 2020 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: acpi_ec.c,v 1.80 2020/04/12 01:11:52 riastradh Exp $   */
+/*     $NetBSD: acpi_ec.c,v 1.81 2020/04/12 01:12:03 riastradh Exp $   */
 
 /*-
  * Copyright (c) 2007 Joerg Sonnenberger <joerg%NetBSD.org@localhost>.
@@ -59,7 +59,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: acpi_ec.c,v 1.80 2020/04/12 01:11:52 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: acpi_ec.c,v 1.81 2020/04/12 01:12:03 riastradh Exp $");
 
 #include <sys/param.h>
 #include <sys/callout.h>
@@ -662,8 +662,8 @@
        uint8_t addr, reg;
        unsigned int i;
 
-       if (paddr > 0xff || width % 8 != 0 || value == NULL || arg == NULL ||
-           paddr + width / 8 > 0x100)
+       if (paddr > 0xff || width % 8 != 0 || width > sizeof(ACPI_INTEGER)*8 ||
+           value == NULL || arg == NULL || paddr + width / 8 > 0x100)
                return AE_BAD_PARAMETER;
 
        addr = paddr;



Home | Main Index | Thread Index | Old Index