| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250507-tasteful-wren-of-devotion-f010af@sudeepholla>
Date: Wed, 7 May 2025 16:47:10 +0100
From: Sudeep Holla <sudeep.holla@....com>
To: Jeremy Linton <jeremy.linton@....com>
Cc: "Heyne, Maximilian" <mheyne@...zon.de>,
"stable@...r.kernel.org" <stable@...r.kernel.org>,
Sudeep Holla <sudeep.holla@....com>,
"Rafael J. Wysocki" <rafael@...nel.org>,
Len Brown <lenb@...nel.org>, Ard Biesheuvel <ardb@...nel.org>,
Catalin Marinas <catalin.marinas@....com>,
"linux-acpi@...r.kernel.org" <linux-acpi@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] ACPI/PPTT: fix off-by-one error
On Wed, May 07, 2025 at 10:25:25AM -0500, Jeremy Linton wrote:
> Hi,
>
> On 5/6/25 8:13 AM, Heyne, Maximilian wrote:
> > Commit 7ab4f0e37a0f ("ACPI PPTT: Fix coding mistakes in a couple of
> > sizeof() calls") corrects the processer entry size but unmasked a longer
> > standing bug where the last entry in the structure can get skipped due
> > to an off-by-one mistake if the last entry ends exactly at the end of
> > the ACPI subtable.
> >
> > The error manifests for instance on EC2 Graviton Metal instances with
> >
> > ACPI PPTT: PPTT table found, but unable to locate core 63 (63)
> > [...]
> > ACPI: SPE must be homogeneous
> >
> > Fixes: 2bd00bcd73e5 ("ACPI/PPTT: Add Processor Properties Topology Table parsing")
> > Cc: stable@...r.kernel.org
> > Signed-off-by: Maximilian Heyne <mheyne@...zon.de>
> > ---
> > drivers/acpi/pptt.c | 4 ++--
> > 1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/acpi/pptt.c b/drivers/acpi/pptt.c
> > index f73ce6e13065d..4364da90902e5 100644
> > --- a/drivers/acpi/pptt.c
> > +++ b/drivers/acpi/pptt.c
> > @@ -231,7 +231,7 @@ static int acpi_pptt_leaf_node(struct acpi_table_header *table_hdr,
> > sizeof(struct acpi_table_pptt));
> > proc_sz = sizeof(struct acpi_pptt_processor);
>
> This isn't really right, it should be struct acpi_subtable_header, then once
> the header is safe, pull the length from it.
>
Ah OK. Sorry I wasn't able to understand your point earlier. I get it now.
But just for sake of argument here, accessing entry->length before
doing some sanity check is also risky. So ideally we should be checking
if entry + entry->length <= table_end right ?
> But then, really if we are trying to fix the original bug that the table
> could be shorter than the data in it suggests, the struct
> acpi_pptt_processor length plus its resources needs to be checked once the
> subtype is known to be a processor node.
>
Indeed.
> Otherwise the original sizeof * change isn't really fixing anything.
>
How about extending the check for entry->length ? Do you think it will
be any better ? The entry pointer is anyway updated to jump entry->length
ahead at the end of the loop.
Regards,
Sudeep
-->8
@@ -276,7 +276,7 @@ static struct acpi_pptt_processor *acpi_find_processor_node(struct acpi_table_he
while ((unsigned long)entry + proc_sz <= table_end) {
cpu_node = (struct acpi_pptt_processor *)entry;
- if (entry->length == 0) {
+ if (!entry->length || entry->length < proc_sz) {
pr_warn("Invalid zero length subtable\n");
break;
}
Powered by blists - more mailing lists