Skip to content

Commit 3c21441

Browse files
torvaldstorvalds
committed
Merge tag 'acpi-6.15-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm
Pull ACPI fix from Rafael Wysocki: "Fix ACPI PPTT parsing code to address a regression introduced recently and add more sanity checking of data supplied by the platform firmware to avoid using invalid data (Jeremy Linton)" * tag 'acpi-6.15-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: ACPI: PPTT: Fix processor subtable walk
2 parents bd8bb9f + adfab6b commit 3c21441

File tree

1 file changed

+8
-3
lines changed

1 file changed

+8
-3
lines changed

drivers/acpi/pptt.c

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -231,16 +231,18 @@ static int acpi_pptt_leaf_node(struct acpi_table_header *table_hdr,
231231
sizeof(struct acpi_table_pptt));
232232
proc_sz = sizeof(struct acpi_pptt_processor);
233233

234-
while ((unsigned long)entry + proc_sz < table_end) {
234+
/* ignore subtable types that are smaller than a processor node */
235+
while ((unsigned long)entry + proc_sz <= table_end) {
235236
cpu_node = (struct acpi_pptt_processor *)entry;
237+
236238
if (entry->type == ACPI_PPTT_TYPE_PROCESSOR &&
237239
cpu_node->parent == node_entry)
238240
return 0;
239241
if (entry->length == 0)
240242
return 0;
243+
241244
entry = ACPI_ADD_PTR(struct acpi_subtable_header, entry,
242245
entry->length);
243-
244246
}
245247
return 1;
246248
}
@@ -273,15 +275,18 @@ static struct acpi_pptt_processor *acpi_find_processor_node(struct acpi_table_he
273275
proc_sz = sizeof(struct acpi_pptt_processor);
274276

275277
/* find the processor structure associated with this cpuid */
276-
while ((unsigned long)entry + proc_sz < table_end) {
278+
while ((unsigned long)entry + proc_sz <= table_end) {
277279
cpu_node = (struct acpi_pptt_processor *)entry;
278280

279281
if (entry->length == 0) {
280282
pr_warn("Invalid zero length subtable\n");
281283
break;
282284
}
285+
/* entry->length may not equal proc_sz, revalidate the processor structure length */
283286
if (entry->type == ACPI_PPTT_TYPE_PROCESSOR &&
284287
acpi_cpu_id == cpu_node->acpi_processor_id &&
288+
(unsigned long)entry + entry->length <= table_end &&
289+
entry->length == proc_sz + cpu_node->number_of_priv_resources * sizeof(u32) &&
285290
acpi_pptt_leaf_node(table_hdr, cpu_node)) {
286291
return (struct acpi_pptt_processor *)entry;
287292
}

0 commit comments

Comments
 (0)