Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-8]: src/sys/dev/acpi Pull up following revision(s) (requested by ...
details: https://anonhg.NetBSD.org/src/rev/96a2a3b8d3e2
branches: netbsd-8
changeset: 434835:96a2a3b8d3e2
user: snj <snj%NetBSD.org@localhost>
date: Sun Apr 08 06:06:07 2018 +0000
description:
Pull up following revision(s) (requested by nonaka in ticket #700):
sys/dev/acpi/acpi_mcfg.c: 1.6
Change the iteration, to make sure the ACPI_MCFG_ALLOCATION structure we're
reading fits the table we allocated. Linux does the same.
I have a laptop which, for some reason, reports a table size of 62 bytes.
Clearly that's incorrect, it should be 60 (44 + 16). Because of the stray
+2, here the kernel reads past the end of the allocated buffer, hits an
unmapped VA, and panics at boot time. So the laptop can't boot.
Now it boots fine.
diffstat:
sys/dev/acpi/acpi_mcfg.c | 7 ++++---
1 files changed, 4 insertions(+), 3 deletions(-)
diffs (28 lines):
diff -r eaecb7bc3815 -r 96a2a3b8d3e2 sys/dev/acpi/acpi_mcfg.c
--- a/sys/dev/acpi/acpi_mcfg.c Sun Apr 08 06:04:08 2018 +0000
+++ b/sys/dev/acpi/acpi_mcfg.c Sun Apr 08 06:06:07 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: acpi_mcfg.c,v 1.4 2016/07/12 09:45:34 hannken Exp $ */
+/* $NetBSD: acpi_mcfg.c,v 1.4.10.1 2018/04/08 06:06:07 snj Exp $ */
/*-
* Copyright (C) 2015 NONAKA Kimihiro <nonaka%NetBSD.org@localhost>
@@ -26,7 +26,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: acpi_mcfg.c,v 1.4 2016/07/12 09:45:34 hannken Exp $");
+__KERNEL_RCSID(0, "$NetBSD: acpi_mcfg.c,v 1.4.10.1 2018/04/08 06:06:07 snj Exp $");
#include <sys/param.h>
#include <sys/device.h>
@@ -287,7 +287,8 @@
nsegs = 0;
offset = sizeof(ACPI_TABLE_MCFG);
ama = ACPI_ADD_PTR(ACPI_MCFG_ALLOCATION, mcfg, offset);
- for (i = 0; offset < mcfg->Header.Length; i++) {
+ for (i = 0; offset + sizeof(ACPI_MCFG_ALLOCATION) <=
+ mcfg->Header.Length; i++) {
aprint_debug_dev(sc->sc_dev,
"MCFG: segment %d, bus %d-%d, address 0x%016" PRIx64 "\n",
ama->PciSegment, ama->StartBusNumber, ama->EndBusNumber,
Home |
Main Index |
Thread Index |
Old Index