[PATCH] ACPI: Prevent acpi_table_entries from falling into a infinite loop

[PATCH] ACPI: Prevent acpi_table_entries from falling into a infinite loop

[Malcolm Crossley]

If a buggy BIOS programs an ACPI table with entry length 0 then
acpi_table_entries gets stuck in an infinite loop.

To aid debugging, report the error and exit the loop.

Signed-off-by: Malcolm Crossley <malcolm.crossley@citrix.com>

diff -r 4708591d8aa8 -r af3b2493951c xen/drivers/acpi/tables.c
--- a/xen/drivers/acpi/tables.c
+++ b/xen/drivers/acpi/tables.c
@@ -238,6 +238,12 @@ acpi_table_parse_entries(char *id,
 			if (handler(entry, table_end))
 				return -EINVAL;
 
+		if (entry->length == 0) {
+			printk(KERN_ERR PREFIX "[%4.4s:0x%02x] Invalid zero length\n",
+			       id, entry_id);
+			return -EINVAL;
+		}
+
 		entry = (struct acpi_subtable_header *)
 		    ((unsigned long)entry + entry->length);
 	}

Re: [PATCH] ACPI: Prevent acpi_table_entries from falling into a infinite loop

[Andrew Cooper]

On 03/06/14 15:51, Malcolm Crossley wrote:
> If a buggy BIOS programs an ACPI table with entry length 0 then
> acpi_table_entries gets stuck in an infinite loop.
>
> To aid debugging, report the error and exit the loop.
>
> Signed-off-by: Malcolm Crossley <malcolm.crossley@citrix.com>

Could you put a reference to the Linux commit in the message?

Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

>
> diff -r 4708591d8aa8 -r af3b2493951c xen/drivers/acpi/tables.c
> --- a/xen/drivers/acpi/tables.c
> +++ b/xen/drivers/acpi/tables.c
> @@ -238,6 +238,12 @@ acpi_table_parse_entries(char *id,
>  			if (handler(entry, table_end))
>  				return -EINVAL;
>  
> +		if (entry->length == 0) {
> +			printk(KERN_ERR PREFIX "[%4.4s:0x%02x] Invalid zero length\n",
> +			       id, entry_id);
> +			return -EINVAL;
> +		}
> +
>  		entry = (struct acpi_subtable_header *)
>  		    ((unsigned long)entry + entry->length);
>  	}
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel

Re: [PATCH] ACPI: Prevent acpi_table_entries from falling into a infinite loop

[Jan Beulich]

>>> On 03.06.14 at 16:54, <andrew.cooper3@citrix.com> wrote:
> On 03/06/14 15:51, Malcolm Crossley wrote:
>> If a buggy BIOS programs an ACPI table with entry length 0 then
>> acpi_table_entries gets stuck in an infinite loop.
>>
>> To aid debugging, report the error and exit the loop.
>>
>> Signed-off-by: Malcolm Crossley <malcolm.crossley@citrix.com>
> 
> Could you put a reference to the Linux commit in the message?

I was about to ask the same.

> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
> 
>>
>> diff -r 4708591d8aa8 -r af3b2493951c xen/drivers/acpi/tables.c
>> --- a/xen/drivers/acpi/tables.c
>> +++ b/xen/drivers/acpi/tables.c
>> @@ -238,6 +238,12 @@ acpi_table_parse_entries(char *id,
>>  			if (handler(entry, table_end))
>>  				return -EINVAL;
>>  
>> +		if (entry->length == 0) {

Furthermore I think this should be done more robustly by
checking <= sizeof(*entry), and before actually doing anything
else with it.

Jan

>> +			printk(KERN_ERR PREFIX "[%4.4s:0x%02x] Invalid zero length\n",
>> +			       id, entry_id);
>> +			return -EINVAL;
>> +		}
>> +
>>  		entry = (struct acpi_subtable_header *)
>>  		    ((unsigned long)entry + entry->length);
>>  	}
>>
>> _______________________________________________
>> Xen-devel mailing list
>> Xen-devel@lists.xen.org 
>> http://lists.xen.org/xen-devel