Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/dev/acpi Change the iteration, to make sure the ACPI_MCF...
details: https://anonhg.NetBSD.org/src/rev/262d4fc0eb4e
branches: trunk
changeset: 831573:262d4fc0eb4e
user: maxv <maxv%NetBSD.org@localhost>
date: Fri Apr 06 17:30:25 2018 +0000
description:
Change the iteration, to make sure the ACPI_MCFG_ALLOCATION structure we're
reading fits the table we allocated. Linux does the same.
I have a laptop which, for some reason, reports a table size of 62 bytes.
Clearly that's incorrect, it should be 60 (44 + 16). Because of the stray
+2, here the kernel reads past the end of the allocated buffer, hits an
unmapped VA, and panics at boot time. So the laptop can't boot.
Now it boots fine.
diffstat:
sys/dev/acpi/acpi_mcfg.c | 7 ++++---
1 files changed, 4 insertions(+), 3 deletions(-)
diffs (28 lines):
diff -r d8f0f9971bfb -r 262d4fc0eb4e sys/dev/acpi/acpi_mcfg.c
--- a/sys/dev/acpi/acpi_mcfg.c Fri Apr 06 17:03:59 2018 +0000
+++ b/sys/dev/acpi/acpi_mcfg.c Fri Apr 06 17:30:25 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: acpi_mcfg.c,v 1.5 2018/02/28 05:50:06 msaitoh Exp $ */
+/* $NetBSD: acpi_mcfg.c,v 1.6 2018/04/06 17:30:25 maxv Exp $ */
/*-
* Copyright (C) 2015 NONAKA Kimihiro <nonaka%NetBSD.org@localhost>
@@ -26,7 +26,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: acpi_mcfg.c,v 1.5 2018/02/28 05:50:06 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: acpi_mcfg.c,v 1.6 2018/04/06 17:30:25 maxv Exp $");
#include <sys/param.h>
#include <sys/device.h>
@@ -287,7 +287,8 @@
nsegs = 0;
offset = sizeof(ACPI_TABLE_MCFG);
ama = ACPI_ADD_PTR(ACPI_MCFG_ALLOCATION, mcfg, offset);
- for (i = 0; offset < mcfg->Header.Length; i++) {
+ for (i = 0; offset + sizeof(ACPI_MCFG_ALLOCATION) <=
+ mcfg->Header.Length; i++) {
aprint_debug_dev(sc->sc_dev,
"MCFG: segment %d, bus %d-%d, address 0x%016" PRIx64 "\n",
ama->PciSegment, ama->StartBusNumber, ama->EndBusNumber,
Home |
Main Index |
Thread Index |
Old Index