From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A78901917FB; Thu, 10 Oct 2024 15:52:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728575531; cv=none; b=jHimY0Pr2Icjsidd/uDPtIZ5XY7gUv7CJNZ8i6kyqwkKpVTHGEbBwwg0inITFozhM/ABccT1m3s3SwNG0IWVhRyXwcJ1NcRneUxxPvusa04PoqdaBvGfLNclDgMenVpm1ObKx46fTlKvQ/c/P9frW/hD1YwWVcy1wc64UgGXIwk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728575531; c=relaxed/simple; bh=39KxPMJVKK5wuawUO5u2oXsAmwKoyC+/FTrdHsX0cFs=; h=Date:Message-ID:From:To:Cc:Subject:In-Reply-To:References: MIME-Version:Content-Type; b=av7tc5/XIeXsbG+zOzIYW2qljv5fCN8vZ0QaevFlMehetRfX0kJZkNQ92Gj4a/nhTRIhoIGhKRTe1XeNo10lvKlp76W9sgIOrOejx1eZ0wSp117RKRIh6leNeCfmKcmdn0P2xLr+oXhQ5gd1SNYiFhDk/0RCqnAp8drutWelSkQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=Gc+ajeRr; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="Gc+ajeRr" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 300B0C4CEC5; Thu, 10 Oct 2024 15:52:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1728575531; bh=39KxPMJVKK5wuawUO5u2oXsAmwKoyC+/FTrdHsX0cFs=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=Gc+ajeRrIx4ycdWxBYWFVFEoR2k6Y0wUM+i91An4qnUFTN+sDwp1JlmiKbpWnASxg TeWBaz0FHNdzgTCOxKq/KBC1WjpVQldt/2+y/2zdSbO96B5nh5vqKyQUfGNa2gL9UN 8JnNHQV0FQYNAgoovJrv5NOiQlpQUzu7ua/4p26GqHOdXF+8M8SWBzG0jxQi7yW9bY eiqbKm187ZL4wM7sEMx8P201eoASdyWrV2agfQxHTlAXc42GmcPnpM8CRIIlRBFVGd P7SahYeFichRRJuZPKHsTcM/qbatUdYlQ7XDlYULsiuf3ja7cxlANqFrfAi1EaihaZ jGZ2VJ2kcsymg== Received: from sofa.misterjones.org ([185.219.108.64] helo=goblin-girl.misterjones.org) by disco-boy.misterjones.org with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1syvSS-002FWy-Na; Thu, 10 Oct 2024 16:52:08 +0100 Date: Thu, 10 Oct 2024 16:52:07 +0100 Message-ID: <86ldyw5520.wl-maz@kernel.org> From: Marc Zyngier To: Zheng Zengkai Cc: , , , , , , , , , , Subject: Re: [PATCH] ACPI: GTDT: Tighten the check for the first platform timer entry In-Reply-To: <20241010144703.113728-1-zhengzengkai@huawei.com> References: <20241010144703.113728-1-zhengzengkai@huawei.com> User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue) FLIM-LB/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL-LB/10.8 EasyPG/1.0.0 Emacs/29.4 (aarch64-unknown-linux-gnu) MULE/6.0 (HANACHIRUSATO) Precedence: bulk X-Mailing-List: linux-acpi@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue") Content-Type: text/plain; charset=US-ASCII X-SA-Exim-Connect-IP: 185.219.108.64 X-SA-Exim-Rcpt-To: zhengzengkai@huawei.com, lpieralisi@kernel.org, guohanjun@huawei.com, sudeep.holla@arm.com, mark.rutland@arm.com, rafael@kernel.org, lenb@kernel.org, daniel.lezcano@linaro.org, tglx@linutronix.de, linux-acpi@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org X-SA-Exim-Mail-From: maz@kernel.org X-SA-Exim-Scanned: No (on disco-boy.misterjones.org); SAEximRunCond expanded to false On Thu, 10 Oct 2024 15:47:03 +0100, Zheng Zengkai wrote: > > As suggested by Marc and Lorenzo, first we need to check whether > the platform_timer pointer is within gtdt bounds (< gtdt_end) before > de-referencing what it points at to detect the (first) platform > timer entry length and check that next platform_timer pointer is > within gtdt_end too. Now we do that only in next_platform_timer() > for subsequent platform timers. > > So add check against table length (gtdt_end) for the first platform > timer entry. > > Suggested-by: Marc Zyngier > Suggested-by: Lorenzo Pieralisi > Signed-off-by: Zheng Zengkai > --- > drivers/acpi/arm64/gtdt.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/acpi/arm64/gtdt.c b/drivers/acpi/arm64/gtdt.c > index c0e77c1c8e09..f249af1ed1cd 100644 > --- a/drivers/acpi/arm64/gtdt.c > +++ b/drivers/acpi/arm64/gtdt.c > @@ -177,7 +177,8 @@ int __init acpi_gtdt_init(struct acpi_table_header *table, > } > > platform_timer = (void *)gtdt + gtdt->platform_timer_offset; > - if (platform_timer < (void *)table + sizeof(struct acpi_table_gtdt)) { > + if (platform_timer < (void *)table + sizeof(struct acpi_table_gtdt) || > + platform_timer >= acpi_gtdt_desc.gtdt_end) { > pr_err(FW_BUG "invalid timer data.\n"); > return -EINVAL; > } You are only checking the base pointer for the platform_timer array. This doesn't say anything about the *size* of that array (or at least its first element), and whether that actually fits in the table. M. -- Without deviation from the norm, progress is not possible.