All of lore.kernel.org
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Dave Jiang" <dave.jiang@intel.com>
Cc: linux-cxl@vger.kernel.org
Subject: Re: [PATCH v2 7/7] ACPI: APEI: GHES: Validate memory error section length before payload access
Date: Tue, 14 Jul 2026 23:41:16 +0000	[thread overview]
Message-ID: <20260714234116.8DE051F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260714231835.303081-8-dave.jiang@intel.com>

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:

New issues:
- [High] The newly added length check is overly strict and incorrectly rejects legitimate memory error payloads generated by older UEFI firmware, silently dropping valid hardware errors.

Pre-existing issues:
- [High] The payload length check added in `ghes_handle_memory_failure()` is an incomplete fix and placed too late, leaving other consumers of the same payload vulnerable to out-of-bounds reads.
--

--- Patch [7]: [PATCH v2 7/7] ACPI: APEI: GHES: Validate memory error section length before payload access ---
commit e9b5dfb37c8ab1d8db8c3e63d015c33fc4b4b12f
Author: Dave Jiang <dave.jiang@intel.com>

ACPI: APEI: GHES: Validate memory error section length before payload access

This commit attempts to prevent out-of-bounds accesses when handling memory
errors by validating that the CPER section payload length is large enough
to contain a struct cper_sec_mem_err before dereferencing it.

> diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c
> index b36f6d268c9fd..e8b2980bd5fea 100644
> --- a/drivers/acpi/apei/ghes.c
> +++ b/drivers/acpi/apei/ghes.c

[ ... ]

> @@ -535,6 +535,9 @@ static bool ghes_handle_memory_failure(struct acpi_hest_generic_data *gdata,
>  	int sec_sev = ghes_severity(gdata->error_severity);
>  	struct cper_sec_mem_err *mem_err = acpi_hest_get_payload(gdata);
>  
> +	if (gdata->error_data_length < sizeof(*mem_err))
> +		return false;
> +

[Severity: High]
Does this length check accidentally reject legitimate memory error payloads
from older UEFI firmware?

If the firmware uses the older v2.1/v2.2 layout (which is 73 bytes long),
comparing gdata->error_data_length against sizeof(*mem_err) (which evaluates
to 80 bytes) will cause this condition to return false.

Could this regression lead to silently dropping valid hardware errors and
preventing the kernel from gracefully offlining broken memory pages?

[Severity: High]
This is a pre-existing issue, but does validating the payload length here in
ghes_handle_memory_failure() leave other consumers vulnerable to
out-of-bounds reads?

Looking at the call chain, the payload is distributed to other consumers
before this function is ever reached:

drivers/acpi/apei/ghes.c:ghes_do_proc() {
        ...
        struct cper_sec_mem_err *mem_err = acpi_hest_get_payload(gdata);
        atomic_notifier_call_chain(&ghes_report_chain, sev, mem_err);
        arch_apei_report_mem_error(sev, mem_err);
        queued = ghes_handle_memory_failure(gdata, sev, sync);
        ...
}

If the payload is truncated, won't callbacks like
ghes_edac_report_mem_error() and apei_mce_report_mem_error() access fields
out of bounds when they check mem_err->validation_bits, potentially
interpreting adjacent garbage memory as a valid physical address?

>  	if (!(mem_err->validation_bits & CPER_MEM_VALID_PA))
>  		return false;
>

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260714231835.303081-1-dave.jiang@intel.com?part=7

      reply	other threads:[~2026-07-14 23:41 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-14 23:18 [PATCH v2 0/7] ACPI: APEI: GHES: Collection of fixes for issues reported by sashiko Dave Jiang
2026-07-14 23:18 ` [PATCH v2 1/7] ACPI: APEI: GHES: Bound CXL event record copy to the firmware section length Dave Jiang
2026-07-14 23:54   ` sashiko-bot
2026-07-14 23:18 ` [PATCH v2 2/7] ACPI: APEI: GHES: Validate CXL protocol error section length before RAS cap copy Dave Jiang
2026-07-14 23:49   ` sashiko-bot
2026-07-14 23:18 ` [PATCH v2 3/7] ACPI: extlog: Avoid populating software AER metadata from raw hardware buffer Dave Jiang
2026-07-14 23:51   ` sashiko-bot
2026-07-14 23:18 ` [PATCH v2 4/7] ACPI: extlog: Validate PCIe error section length before payload access Dave Jiang
2026-07-14 23:45   ` sashiko-bot
2026-07-14 23:18 ` [PATCH v2 5/7] ACPI: extlog: Fix CONFIG_ACPI_APEI_PCIEAER guard typo Dave Jiang
2026-07-14 23:18 ` [PATCH v2 6/7] ACPI: extlog: Defer CXL protocol error handling to avoid lock inversion Dave Jiang
2026-07-14 23:57   ` sashiko-bot
2026-07-14 23:18 ` [PATCH v2 7/7] ACPI: APEI: GHES: Validate memory error section length before payload access Dave Jiang
2026-07-14 23:41   ` sashiko-bot [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260714234116.8DE051F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=dave.jiang@intel.com \
    --cc=linux-cxl@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.