From: "Rafael J. Wysocki" <rjw@rjwysocki.net>
To: Linux ACPI <linux-acpi@vger.kernel.org>
Cc: LKML <linux-kernel@vger.kernel.org>, Bob Moore <robert.moore@intel.com>
Subject: [PATCH 05/19] ACPICA: Avoid subobject buffer overflow when validating RSDP signature
Date: Wed, 22 Dec 2021 17:24:44 +0100 [thread overview]
Message-ID: <8005250.T7Z3S40VBb@kreacher> (raw)
In-Reply-To: <11889746.O9o76ZdvQC@kreacher>
From: Jessica Clarke <jrtc27@jrtc27.com>
ACPICA commit 6bb72909c1e3d415aee214104a01bc9834b2d4ce
Since the Signature member is accessed through an struct acpi_table_header, the
pointer to it is only to a 4-char array, and so trying to read past the
4th character, as will be done when it is an RSDP, reads beyond the
bounds of the accessed member. On CHERI, and thus Arm's experimental
Morello prototype architecture, pointers are represented as
capabilities, which are unforgeable bounded pointers, providing
always-on fine-grained spatial memory safety. By default, subobject
bounds enforcement is not enabled, only bounds on allocations, but it is
enabled in the cheri_BSD (a port of free_BSD) kernel as intra-object
overflow attacks are common on operating system kernels, and so this
overflow is detected there and traps.
Link: https://github.com/acpica/acpica/commit/6bb72909
Signed-off-by: Bob Moore <robert.moore@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
---
drivers/acpi/acpica/tbprint.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/acpi/acpica/tbprint.c b/drivers/acpi/acpica/tbprint.c
index 254823d494a2..4dac16bd63d3 100644
--- a/drivers/acpi/acpica/tbprint.c
+++ b/drivers/acpi/acpica/tbprint.c
@@ -101,7 +101,8 @@ acpi_tb_print_table_header(acpi_physical_address address,
ACPI_INFO(("%-4.4s 0x%8.8X%8.8X %06X",
header->signature, ACPI_FORMAT_UINT64(address),
header->length));
- } else if (ACPI_VALIDATE_RSDP_SIG(header->signature)) {
+ } else if (ACPI_VALIDATE_RSDP_SIG(ACPI_CAST_PTR(struct acpi_table_rsdp,
+ header)->signature)) {
/* RSDP has no common fields */
--
2.26.2
next prev parent reply other threads:[~2021-12-22 16:44 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-22 15:56 [PATCH 00/19] ACPICA: ACPICA 20211217 Rafael J. Wysocki
2021-12-22 15:57 ` [PATCH 01/19] ACPICA: actypes.h: Expand the ACPI_ACCESS_ definitions Rafael J. Wysocki
2021-12-22 16:21 ` [PATCH 02/19] ACPICA: Use original data_table_region pointer for accesses Rafael J. Wysocki
2021-12-22 16:22 ` [PATCH 03/19] ACPICA: Use original pointer for virtual origin tables Rafael J. Wysocki
2021-12-22 16:23 ` [PATCH 04/19] ACPICA: Macros: Remove ACPI_PHYSADDR_TO_PTR Rafael J. Wysocki
2021-12-22 16:24 ` Rafael J. Wysocki [this message]
2021-12-22 16:25 ` [PATCH 06/19] ACPICA: iASL/Disassembler: Additional support for NHLT table Rafael J. Wysocki
2021-12-22 16:28 ` [PATCH 07/19] ACPICA: Fix AEST Processor generic resource substructure data field byte length Rafael J. Wysocki
2021-12-22 16:29 ` [PATCH 08/19] ACPICA: Utilities: Avoid deleting the same object twice in a row Rafael J. Wysocki
2021-12-22 16:31 ` [PATCH 09/19] ACPICA: Executer: Fix the REFCLASS_REFOF case in acpi_ex_opcode_1A_0T_1R() Rafael J. Wysocki
2021-12-22 16:31 ` [PATCH 10/19] ACPICA: Fix wrong interpretation of PCC address Rafael J. Wysocki
2021-12-22 16:32 ` [PATCH 11/19] ACPICA: Add support for PCC Opregion special context data Rafael J. Wysocki
2021-12-22 16:33 ` [PATCH 12/19] ACPICA: Hardware: Do not flush CPU cache when entering S4 and S5 Rafael J. Wysocki
2021-12-22 16:35 ` [PATCH 14/19] ACPICA: Change a return_ACPI_STATUS (AE_BAD_PARAMETER) Rafael J. Wysocki
2021-12-22 16:35 ` [PATCH 15/19] ACPICA: Fixed a couple of warnings under MSVC Rafael J. Wysocki
2021-12-22 16:36 ` [PATCH 16/19] ACPICA: iASL: Add TDEL table to both compiler/disassembler Rafael J. Wysocki
2021-12-22 16:37 ` [PATCH 17/19] ACPICA: iASL: Add suppport for AGDI table Rafael J. Wysocki
2021-12-22 16:37 ` [PATCH 18/19] ACPICA: iASL/NHLT table: "Specific Data" field support Rafael J. Wysocki
2021-12-22 16:38 ` [PATCH 19/19] ACPICA: Update version to 20211217 Rafael J. Wysocki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8005250.T7Z3S40VBb@kreacher \
--to=rjw@rjwysocki.net \
--cc=linux-acpi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=robert.moore@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).