summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSeunghun Han <kkamagui@gmail.com>2017-07-18 20:03:51 +0900
committerSasha Levin <alexander.levin@verizon.com>2017-09-10 10:59:18 -0400
commit424e53f1ee00891001808a1f5dd08a2c7efb9117 (patch)
treea17ea6b79e706d0b431a50c78d444e3baf1f65e5
parent187daab075f0062a012657b94c7fcd2fc4a09e46 (diff)
x86/acpi: Prevent out of bound access caused by broken ACPI tables
[ Upstream commit dad5ab0db8deac535d03e3fe3d8f2892173fa6a4 ] The bus_irq argument of mp_override_legacy_irq() is used as the index into the isa_irq_to_gsi[] array. The bus_irq argument originates from ACPI_MADT_TYPE_IO_APIC and ACPI_MADT_TYPE_INTERRUPT items in the ACPI tables, but is nowhere sanity checked. That allows broken or malicious ACPI tables to overwrite memory, which might cause malfunction, panic or arbitrary code execution. Add a sanity check and emit a warning when that triggers. [ tglx: Added warning and rewrote changelog ] Signed-off-by: Seunghun Han <kkamagui@gmail.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Cc: security@kernel.org Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net> Cc: stable@vger.kernel.org Signed-off-by: Ingo Molnar <mingo@kernel.org> Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Diffstat
-rw-r--r--arch/x86/kernel/acpi/boot.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/arch/x86/kernel/acpi/boot.c b/arch/x86/kernel/acpi/boot.c
index 07bea80223f6..60aa02503b48 100644
--- a/arch/x86/kernel/acpi/boot.c
+++ b/arch/x86/kernel/acpi/boot.c
@@ -329,6 +329,14 @@ static void __init mp_override_legacy_irq(u8 bus_irq, u8 polarity, u8 trigger,
struct mpc_intsrc mp_irq;
/*
+ * Check bus_irq boundary.
+ */
+ if (bus_irq >= NR_IRQS_LEGACY) {
+ pr_warn("Invalid bus_irq %u for legacy override\n", bus_irq);
+ return;
+ }
+
+ /*
* Convert 'gsi' to 'ioapic.pin'.
*/
ioapic = mp_find_ioapic(gsi);
generated by cgit v1.2.3 (git 2.0.4) at 2024-09-24 23:46:12 +0000