| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <0d398f19-b8df-4936-97e0-fba8eb041d88@os.amperecomputing.com>
Date: Thu, 28 Mar 2024 16:41:17 -0700
From: Daniel Ferguson <danielf@...amperecomputing.com>
To: shiju.jose@...wei.com, linux-cxl@...r.kernel.org,
linux-acpi@...r.kernel.org, linux-mm@...ck.org, dan.j.williams@...el.com,
dave@...olabs.net, jonathan.cameron@...wei.com, dave.jiang@...el.com,
alison.schofield@...el.com, vishal.l.verma@...el.com, ira.weiny@...el.com
Cc: linux-edac@...r.kernel.org, linux-kernel@...r.kernel.org,
david@...hat.com, Vilas.Sridharan@....com, leo.duran@....com,
Yazen.Ghannam@....com, rientjes@...gle.com, jiaqiyan@...gle.com,
tony.luck@...el.com, Jon.Grimm@....com, dave.hansen@...ux.intel.com,
rafael@...nel.org, lenb@...nel.org, naoya.horiguchi@....com,
james.morse@....com, jthoughton@...gle.com, somasundaram.a@....com,
erdemaktas@...gle.com, pgonda@...gle.com, duenwen@...gle.com,
mike.malvestuto@...el.com, gthelen@...gle.com,
wschwartz@...erecomputing.com, dferguson@...erecomputing.com,
tanxiaofei@...wei.com, prime.zeng@...ilicon.com,
kangkang.shen@...urewei.com, wanghuiqiang@...wei.com, linuxarm@...wei.com,
wbs@...amperecomputing.com
Subject: Re: [RFC PATCH v7 11/12] ACPI:RAS2: Add driver for ACPI RAS2 feature
table (RAS2)
> +static int __init ras2_acpi_init(void)
> +{
> + u8 count;
> + acpi_status status;
> + acpi_size ras2_size;
> + int pcc_subspace_idx;
> + struct platform_device *pdev;
> + struct acpi_table_ras2 *pRas2Table;
> + struct acpi_ras2_pcc_desc *pcc_desc_list;
> + struct platform_device **pdev_list = NULL;
> + struct acpi_table_header *pAcpiTable = NULL;
> +
> + status = acpi_get_table("RAS2", 0, &pAcpiTable);
> + if (ACPI_FAILURE(status) || !pAcpiTable) {
> + pr_err("ACPI RAS2 driver failed to initialize, get table failed\n");
> + return RAS2_FAILURE;
> + }
> +
> + ras2_size = pAcpiTable->length;
> + if (ras2_size < sizeof(struct acpi_table_ras2)) {
> + pr_err("ACPI RAS2 table present but broken (too short #1)\n");
> + goto free_ras2_table;
> + }
> +
> + pRas2Table = (struct acpi_table_ras2 *)pAcpiTable;
> +
> + if (pRas2Table->num_pcc_descs <= 0) {
> + pr_err("ACPI RAS2 table does not contain PCC descriptors\n");
> + goto free_ras2_table;
> + }
> +
> + pdev_list = kzalloc((pRas2Table->num_pcc_descs * sizeof(struct platform_device *)),
> + GFP_KERNEL);
> + if (!pdev_list)
> + goto free_ras2_table;
> +
> + pcc_desc_list = (struct acpi_ras2_pcc_desc *)
> + ((void *)pRas2Table + sizeof(struct acpi_table_ras2));
> + count = 0;
> + while (count < pRas2Table->num_pcc_descs) {
> + if (pcc_desc_list->feature_type == RAS2_FEATURE_TYPE_MEMORY) {
> + pcc_subspace_idx = pcc_desc_list->channel_id;
> + /* Add the platform device and bind ras2 memory driver */
> + pdev = ras2_add_platform_device("ras2", &pcc_subspace_idx,
> + sizeof(pcc_subspace_idx));
> + if (!pdev)
> + goto free_ras2_pdev;
> + pdev_list[count] = pdev;
> + }
> + count++;
> + pcc_desc_list = pcc_desc_list + sizeof(struct acpi_ras2_pcc_desc);
This line needs to be:
pcc_desc_list = pcc_desc_list + 1
because pcc_desc_list is a type larger than a byte.
This bug will crash the module when num_pcc_descs
is greater than 1
> + }
> +
> + acpi_put_table(pAcpiTable);
> + return RAS2_SUCCESS;
> +
> +free_ras2_pdev:
> + count = 0;
> + while (count < pRas2Table->num_pcc_descs) {
> + if (pcc_desc_list->feature_type ==
> + RAS2_FEATURE_TYPE_MEMORY)
> + platform_device_put(pdev_list[count++]);
> + }
> + kfree(pdev_list);
> +
> +free_ras2_table:
> + acpi_put_table(pAcpiTable);
> + return RAS2_FAILURE;
> +}
Powered by blists - more mailing lists