49 lines
1.5 KiB
Diff
49 lines
1.5 KiB
Diff
From 70ac67826602edf8c0ccb413e5ba7eacf597a60c Mon Sep 17 00:00:00 2001
|
|
From: Seunghun Han <kkamagui@gmail.com>
|
|
Date: Tue, 18 Jul 2017 20:03:51 +0900
|
|
Subject: x86/acpi: Prevent out of bound access caused by broken ACPI tables
|
|
|
|
The bus_irq argument of mp_override_legacy_irq() is used as the index into
|
|
the isa_irq_to_gsi[] array. The bus_irq argument originates from
|
|
ACPI_MADT_TYPE_IO_APIC and ACPI_MADT_TYPE_INTERRUPT items in the ACPI
|
|
tables, but is nowhere sanity checked.
|
|
|
|
That allows broken or malicious ACPI tables to overwrite memory, which
|
|
might cause malfunction, panic or arbitrary code execution.
|
|
|
|
Add a sanity check and emit a warning when that triggers.
|
|
|
|
[ tglx: Added warning and rewrote changelog ]
|
|
|
|
Signed-off-by: Seunghun Han <kkamagui@gmail.com>
|
|
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
Cc: security@kernel.org
|
|
Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
|
|
Cc: stable@vger.kernel.org
|
|
---
|
|
arch/x86/kernel/acpi/boot.c | 8 ++++++++
|
|
1 file changed, 8 insertions(+)
|
|
|
|
diff --git a/arch/x86/kernel/acpi/boot.c b/arch/x86/kernel/acpi/boot.c
|
|
index 6bb6806..7491e73 100644
|
|
--- a/arch/x86/kernel/acpi/boot.c
|
|
+++ b/arch/x86/kernel/acpi/boot.c
|
|
@@ -347,6 +347,14 @@ static void __init mp_override_legacy_irq(u8 bus_irq, u8 polarity, u8 trigger,
|
|
struct mpc_intsrc mp_irq;
|
|
|
|
/*
|
|
+ * Check bus_irq boundary.
|
|
+ */
|
|
+ if (bus_irq >= NR_IRQS_LEGACY) {
|
|
+ pr_warn("Invalid bus_irq %u for legacy override\n", bus_irq);
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ /*
|
|
* Convert 'gsi' to 'ioapic.pin'.
|
|
*/
|
|
ioapic = mp_find_ioapic(gsi);
|
|
--
|
|
cgit v1.1
|
|
|