diff options
| author | Alexander Motin <mav@FreeBSD.org> | 2022-02-03 20:18:31 +0000 |
|---|---|---|
| committer | Alexander Motin <mav@FreeBSD.org> | 2022-02-13 18:26:55 +0000 |
| commit | 376fd49ae3b9f07e122a3479f65c9414b38d7bae (patch) | |
| tree | 87573618555997f88c74696b4b6c99d7f19057c4 | |
| parent | 85cd9f7e989bab02aee32a5f25d517567a0cc928 (diff) | |
| download | src-376fd49ae3b9f07e122a3479f65c9414b38d7bae.tar.gz src-376fd49ae3b9f07e122a3479f65c9414b38d7bae.zip | |
APEI: Make sure event data fit into the buffer.
There seem to be systems returning some garbage here. I still don't
know why, but at least I hope this check fix indefinite printf loop.
MFC after: 2 weeks
(cherry picked from commit 3b248a2113829e43c382f5e2b1f85c626c01f024)
| -rw-r--r-- | sys/dev/acpica/acpi_apei.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/sys/dev/acpica/acpi_apei.c b/sys/dev/acpica/acpi_apei.c index c957959317ce..35bab30a68f1 100644 --- a/sys/dev/acpica/acpi_apei.c +++ b/sys/dev/acpica/acpi_apei.c @@ -371,8 +371,9 @@ apei_ge_handler(struct apei_ge *ge, bool copy) uint8_t *buf = copy ? ge->copybuf : ge->buf; ACPI_HEST_GENERIC_STATUS *ges = (ACPI_HEST_GENERIC_STATUS *)buf; ACPI_HEST_GENERIC_DATA *ged; + size_t off, len; uint32_t sev; - int i, c, off; + int i, c; if (ges == NULL || ges->BlockStatus == 0) return (0); @@ -381,8 +382,11 @@ apei_ge_handler(struct apei_ge *ge, bool copy) sev = ges->ErrorSeverity; /* Process error entries. */ - for (off = i = 0; i < c && off + sizeof(*ged) <= ges->DataLength; i++) { + len = MIN(ge->v1.ErrorBlockLength - sizeof(*ges), ges->DataLength); + for (off = i = 0; i < c && off + sizeof(*ged) <= len; i++) { ged = (ACPI_HEST_GENERIC_DATA *)&buf[sizeof(*ges) + off]; + if ((uint64_t)GED_SIZE(ged) + ged->ErrorDataLength > len - off) + break; apei_ged_handler(ged); off += GED_SIZE(ged) + ged->ErrorDataLength; } |