ACPI: APEI: Fix possible out-of-bounds access to BERT region

mainline inclusion from mainline-5.0 commit 1c0d9b1c31d1 category: bugfix bugzilla: 11629 CVE: NA ------------------------------------------------- Check that the length recorded in the generic error status block is within the region before checking the contents of the region itself. Otherwise it may result in an out-of-bounds access if the system firmware has generated a status block with an invalid length (larger than the mapped region). Also move the block_status check so that it only happens after the block has been verified to be within the mapped region. Signed-off-by: N Ross Lagerwall <ross.lagerwall@citrix.com> Acked-by: N Borislav Petkov <bp@suse.de> Tested-by: N Tyler Baicar <baicar.tyler@gmail.com> Signed-off-by: N Rafael J. Wysocki <rafael.j.wysocki@intel.com> Signed-off-by: N Xiongfeng Wang <wangxiongfeng2@huawei.com> Reviewed-by: N Yao Hongbo <yaohongbo@huawei.com> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com>

ACPI: APEI: Fix possible out-of-bounds access to BERT region
mainline inclusion from mainline-5.0 commit 1c0d9b1c31d1 category: bugfix bugzilla: 11629 CVE: NA ------------------------------------------------- Check that the length recorded in the generic error status block is within the region before checking the contents of the region itself. Otherwise it may result in an out-of-bounds access if the system firmware has generated a status block with an invalid length (larger than the mapped region). Also move the block_status check so that it only happens after the block has been verified to be within the mapped region. Signed-off-by: N Ross Lagerwall <ross.lagerwall@citrix.com> Acked-by: N Borislav Petkov <bp@suse.de> Tested-by: N Tyler Baicar <baicar.tyler@gmail.com> Signed-off-by: N Rafael J. Wysocki <rafael.j.wysocki@intel.com> Signed-off-by: N Xiongfeng Wang <wangxiongfeng2@huawei.com> Reviewed-by: N Yao Hongbo <yaohongbo@huawei.com> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com>
5104405b · Ross Lagerwall · Xie XiuQi · 7c250b79 · 5104405b
隐藏空白更改
内联并排

Showing with 10 addition and 13 deletion

drivers/acpi/apei/bert.c drivers/acpi/apei/bert.c +10 -13

未找到文件。
--- a/drivers/acpi/apei/bert.c
+++ b/drivers/acpi/apei/bert.c
@@ -42,15 +42,7 @@ static void __init bert_print_all(struct acpi_bert_region *region,
 	int remain = region_len;
 	u32 estatus_len;

-	if (!estatus->block_status)
-		return;
-
-	while (remain > sizeof(struct acpi_bert_region)) {
-		if (cper_estatus_check(estatus)) {
-			pr_err(FW_BUG "Invalid error record.\n");
-			return;
-		}
-
+	while (remain >= sizeof(struct acpi_bert_region)) {
 		estatus_len = cper_estatus_len(estatus);
 		if (remain < estatus_len) {
 			pr_err(FW_BUG "Truncated status block (length: %u).\n",
@@ -58,6 +50,15 @@ static void __init bert_print_all(struct acpi_bert_region *region,
 			return;
 		}

+		/* No more error records. */
+		if (!estatus->block_status)
+			return;
+
+		if (cper_estatus_check(estatus)) {
+			pr_err(FW_BUG "Invalid error record.\n");
+			return;
+		}
+
 		pr_info_once("Error records from previous boot:\n");

 		cper_estatus_print(KERN_INFO HW_ERR, estatus);
@@ -70,10 +71,6 @@ static void __init bert_print_all(struct acpi_bert_region *region,
 		estatus->block_status = 0;

 		estatus = (void *)estatus + estatus_len;
-		/* No more error records. */
-		if (!estatus->block_status)
-			return;
-
 		remain -= estatus_len;
 	}
 }