| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 17 Mar 2022 20:02:33 +0100
From: Vit Kabele <vit@...ele.me>
To: platform-driver-x86@...r.kernel.org
Cc: r.marek@...embler.cz, devel@...ica.org, mingo@...hat.com,
robert.moore@...el.com, linux-kernel@...r.kernel.org,
linux-acpi@...r.kernel.org
Subject: [PATCH 2/3 RESEND] acpica: Check that the EBDA pointer is in valid
range
If the memory at 0x40e is uninitialized, the retrieved physical_memory
address of EBDA may be beyond the low memory (i.e. above 640K).
If so, the kernel may unintentionally access the VGA memory, that
might not be decoded or even present in case of virtualization.
Signed-off-by: Vit Kabele <vit@...ele.me>
Reviewed-by: Rudolf Marek <r.marek@...embler.cz>
---
drivers/acpi/acpica/tbxfroot.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/acpi/acpica/tbxfroot.c b/drivers/acpi/acpica/tbxfroot.c
index 9fec3df6c3ba..67b7df1c0520 100644
--- a/drivers/acpi/acpica/tbxfroot.c
+++ b/drivers/acpi/acpica/tbxfroot.c
@@ -138,8 +138,11 @@ acpi_find_root_pointer(acpi_physical_address *table_address)
acpi_os_unmap_memory(table_ptr, ACPI_EBDA_PTR_LENGTH);
/* EBDA present? */
-
- if (physical_address > 0x400) {
+ /* Check that the EBDA pointer from 0x40e is sane and does not point
+ * above valid low memory
+ */
+ if (physical_address > 0x400 &&
+ physical_address < 0xA0000) {
/*
* 1b) Search EBDA paragraphs (EBDA is required to be a
* minimum of 1K length)
--
2.30.2
Powered by blists - more mailing lists