| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Z5u4vCwVCIhiE72I@lpieralisi>
Date: Thu, 30 Jan 2025 18:37:00 +0100
From: Lorenzo Pieralisi <lpieralisi@...nel.org>
To: Oliver Upton <oliver.upton@...ux.dev>
Cc: linux-acpi@...r.kernel.org, linux-arm-kernel@...ts.infradead.org,
linux-kernel@...r.kernel.org, Hanjun Guo <guohanjun@...wei.com>,
Sudeep Holla <sudeep.holla@....com>, Will Deacon <will@...nel.org>,
Catalin Marinas <catalin.marinas@....com>,
Marc Zyngier <maz@...nel.org>,
Zheng Zengkai <zhengzengkai@...wei.com>, stable@...r.kernel.org
Subject: Re: [PATCH] ACPI: GTDT: Relax sanity checking on Platform Timers
array count
On Tue, Jan 28, 2025 at 12:42:24PM -0800, Oliver Upton wrote:
> Hi Lorenzo,
>
> On Tue, Jan 28, 2025 at 11:50:55AM +0100, Lorenzo Pieralisi wrote:
> > > @@ -188,13 +188,17 @@ int __init acpi_gtdt_init(struct acpi_table_header *table,
> > > cnt++;
> > >
> > > if (cnt != gtdt->platform_timer_count) {
> > > + cnt = min(cnt, gtdt->platform_timer_count);
> >
> > Thank you for reporting this.
> >
> > There is something I need to understand.
> >
> > What's wrong cnt (because platform_timer_valid() fails for some
> > reason on some entries whereas before the commit we
> > are fixing was applied we *were* parsing those entries) or
> > gtdt->platform_timer_count ?
> >
> > I *guess* the issue is the following:
> >
> > gtdt->platform_timer_count reports the number of GT blocks in the
> > GTDT not including Arm generic watchdogs, whereas cnt counts both
> > structure types (and that's what gtdt->platform_timer_count should
> > report too if it was correct).
>
> I've seen two different issues so far:
>
> - In one case, the offset of the platform timer array is entirely
> beyond the GTDT
And we were parsing it before the commit you are fixing was applied
because we weren't validating the first entry ?
That's how the loop was working before:
#define for_each_platform_timer(_g)
for (_g = acpi_gtdt_desc.platform_timer; _g;
_g = next_platform_timer(_g))
We were parsing the first entry and now we don't anymore (rightly so),
even with this fix applied, correct ?
> - In another, the GTDT has a timer array of length 2, but only the
> first structure falls within the length of the overall GTDT
Right.
> Since cnt is the result of doing a bounds-checked walk of the platform
> timer array, both of these issues cause the sanity check to fail.
Yep.
> > > if (platform_timer_count)
> > > - *platform_timer_count = gtdt->platform_timer_count;
> > > + *platform_timer_count = cnt;
> >
> > I think this should be fine as things stand (but see above).
> >
> > It is used in:
> >
> > gtdt_sbsa_gwdt_init() - just to check if there are platform timers entries
> >
> > arch_timer_mem_acpi_init() - to create a temporary array to init arch mem timer
> > entries (the array is oversized because it
> > includes watchdog entries in the count)
> >
> > In both cases taking the
> >
> > min(cnt, gtdt->platform_timer_count);
> >
> > should work AFAICS
>
> It was probably worth noting in the changelog that I did this to
> gracefully handle the reverse of this issue where we could dereference
> platform timer entries that are within the bounds of the GTDT but exceed
> gtdt->platform_timer_count.
Yes, that's strike three, where platform_timer_count is borked,
I understand you have not hit this one though but it seems
right to fix it the way you did.
I am just trying to understand given that we are sending the fix to
stable whether this fix can affect other broken GTDTs (or better, whether
other borked FW can affect this change) but I hope not, it should not.
> > (hard to grok though, we - as in ACPI maintainers -
> > need to clean this up).
>
> Heh, thought this smelled a little ripe ;-) Went for the minimal fix
> first.
I am sorry you have to deal with this, the kernel is not there to
validate the firmware but on the other hand when it doesn't that's the
outcome. Apologies.
Lorenzo
Powered by blists - more mailing lists