Re: [Xen-devel] [PATCH v2] ACPI: Prevent acpi_table_entries from falling into a infinite loop

["Jan Beulich" <JBeulich@xxxxxxxx>]

>>> On 03.06.14 at 18:44, <malcolm.crossley@xxxxxxxxxx> wrote:
> If a buggy BIOS programs an ACPI table with entry length 0 then
> acpi_table_entries gets stuck in an infinite loop.

I'll re-word this to "with to small an entry length" to match actual code.

> To aid debugging, report the error and exit the loop.
> 
> Based on Linux kernel commit 369d913b242cae2205471b11b6e33ac368ed33ec
> 
> Signed-off-by: Malcolm Crossley <malcolm.crossley@xxxxxxxxxx>
> 
> diff -r 4708591d8aa8 -r 144fabe8dcb7 xen/drivers/acpi/tables.c
> --- a/xen/drivers/acpi/tables.c
> +++ b/xen/drivers/acpi/tables.c
> @@ -233,6 +233,12 @@ acpi_table_parse_entries(char *id,
>  
>       while (((unsigned long)entry) + sizeof(struct acpi_subtable_header) <
>              table_end) {
> +             if (entry->length <= sizeof(*entry)) {

I realize I (wrongly) recommended <= here; I'll correct this to <.

> +                     printk(KERN_ERR PREFIX "[%4.4s:0x%02x] Invalid 
> length\n",
> +                            id, entry_id);

I also wonder whether printing the requested entry ID here isn't
going to be confusing (as the error isn't necessarily being found on
that entry), but I'll leave that as is for now (since with ->length
being invalid there's no basis to trust ->type).

> +                     return -EINVAL;

And I'll make this -ENODATA.

Jan

> +             }
> +
>               if (entry->type == entry_id
>                   && (!max_entries || count++ < max_entries))
>                       if (handler(entry, table_end))




_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel