Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/netbsd-8]: src/sys/dev/acpi Pull up following revision(s) (requested by ...

details:   https://anonhg.NetBSD.org/src/rev/0ed77de0d7b4
branches:  netbsd-8
changeset: 851571:0ed77de0d7b4
user:      snj <snj%NetBSD.org@localhost>
date:      Sun Apr 08 06:06:07 2018 +0000

description:
Pull up following revision(s) (requested by nonaka in ticket #700):
        sys/dev/acpi/acpi_mcfg.c: 1.6
Change the iteration, to make sure the ACPI_MCFG_ALLOCATION structure we're
reading fits the table we allocated. Linux does the same.
I have a laptop which, for some reason, reports a table size of 62 bytes.
Clearly that's incorrect, it should be 60 (44 + 16). Because of the stray
+2, here the kernel reads past the end of the allocated buffer, hits an
unmapped VA, and panics at boot time. So the laptop can't boot.
Now it boots fine.

diffstat:

 sys/dev/acpi/acpi_mcfg.c |  7 ++++---
 1 files changed, 4 insertions(+), 3 deletions(-)

diffs (28 lines):

diff -r 1b45da6db398 -r 0ed77de0d7b4 sys/dev/acpi/acpi_mcfg.c
--- a/sys/dev/acpi/acpi_mcfg.c  Sun Apr 08 06:04:08 2018 +0000
+++ b/sys/dev/acpi/acpi_mcfg.c  Sun Apr 08 06:06:07 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: acpi_mcfg.c,v 1.4 2016/07/12 09:45:34 hannken Exp $    */
+/*     $NetBSD: acpi_mcfg.c,v 1.4.10.1 2018/04/08 06:06:07 snj Exp $   */
 
 /*-
  * Copyright (C) 2015 NONAKA Kimihiro <nonaka%NetBSD.org@localhost>
@@ -26,7 +26,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: acpi_mcfg.c,v 1.4 2016/07/12 09:45:34 hannken Exp $");
+__KERNEL_RCSID(0, "$NetBSD: acpi_mcfg.c,v 1.4.10.1 2018/04/08 06:06:07 snj Exp $");
 
 #include <sys/param.h>
 #include <sys/device.h>
@@ -287,7 +287,8 @@
        nsegs = 0;
        offset = sizeof(ACPI_TABLE_MCFG);
        ama = ACPI_ADD_PTR(ACPI_MCFG_ALLOCATION, mcfg, offset);
-       for (i = 0; offset < mcfg->Header.Length; i++) {
+       for (i = 0; offset + sizeof(ACPI_MCFG_ALLOCATION) <=
+           mcfg->Header.Length; i++) {
                aprint_debug_dev(sc->sc_dev,
                    "MCFG: segment %d, bus %d-%d, address 0x%016" PRIx64 "\n",
                    ama->PciSegment, ama->StartBusNumber, ama->EndBusNumber,
Home | Main Index | Thread Index | Old Index