From: Gleb Natapov <gleb@redhat.com>
To: linux-kernel@vger.kernel.org
Cc: "H. Peter Anvin" <hpa@zytor.com>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>,
x86@kernel.org
Subject: [PATCH] Fix EDD3.0 data verification.
Date: Wed, 2 Feb 2011 13:21:39 +0200 [thread overview]
Message-ID: <20110202112139.GD14984@redhat.com> (raw)
Check for nonzero path in edd_has_edd30() has no sense. First, it looks
at the wrong memory. Device path starts at offset 30 of the info->params
structure which is at offset 8 from the beginning of info structure, but
code looks at info + 4 instead. This was correct when code was introduced,
but around v2.6.4 three more fields were added to edd_info structure
(commit 66b61a5c in history.git). Second, even if it will check correct
memory it will always succeed since at offset 30 (params->key) there will
be non-zero values otherwise previous check would fail.
The patch replaces this bogus check with one that verifies checksum.
Signed-off-by: Gleb Natapov <gleb@redhat.com>
diff --git a/arch/x86/boot/edd.c b/arch/x86/boot/edd.c
index c501a5b..6c1ac02 100644
--- a/arch/x86/boot/edd.c
+++ b/arch/x86/boot/edd.c
@@ -97,6 +97,13 @@ static int get_edd_info(u8 devno, struct edd_info *ei)
/* Extended Get Device Parameters */
+ /*
+ * The sum of bytes 30-73 in params structure should be zero after
+ * int13 call. Set them to 1 to catch the case when bios works
+ * according to phoenix spec and return 66 bytes. If we left them
+ * to be zero, checksum will not catch that data is in wrong format.
+ */
+ memset(&ei->params.key, 1, 74);
ei->params.length = sizeof(ei->params);
ireg.ah = 0x48;
ireg.si = (size_t)&ei->params;
diff --git a/drivers/firmware/edd.c b/drivers/firmware/edd.c
index 96c25d9..5e3baac 100644
--- a/drivers/firmware/edd.c
+++ b/drivers/firmware/edd.c
@@ -531,8 +531,8 @@ static int
edd_has_edd30(struct edd_device *edev)
{
struct edd_info *info;
- int i, nonzero_path = 0;
- char c;
+ int i;
+ u8 csum = 0;
if (!edev)
return 0;
@@ -544,16 +544,11 @@ edd_has_edd30(struct edd_device *edev)
return 0;
}
- for (i = 30; i <= 73; i++) {
- c = *(((uint8_t *) info) + i + 4);
- if (c) {
- nonzero_path++;
- break;
- }
- }
- if (!nonzero_path) {
+ for (i = 30; i <= 73; i++)
+ csum += *(((u8 *)&info->params) + i);
+
+ if (csum)
return 0;
- }
return 1;
}
--
Gleb.
next reply other threads:[~2011-02-02 11:22 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-02-02 11:21 Gleb Natapov [this message]
2011-02-02 13:30 ` [PATCH] Fix EDD3.0 data verification Henrique de Moraes Holschuh
2011-02-02 13:38 ` Gleb Natapov
2011-02-02 17:14 ` H. Peter Anvin
2011-02-02 17:25 ` Gleb Natapov
2011-02-02 17:29 ` H. Peter Anvin
2011-02-02 17:38 ` Gleb Natapov
2011-02-02 17:59 ` Gleb Natapov
2011-02-02 19:56 ` H. Peter Anvin
2011-02-03 10:04 ` Gleb Natapov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110202112139.GD14984@redhat.com \
--to=gleb@redhat.com \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.