forge/linux-pinenote
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

ACPICA: Resource Mgr: Prevent infinite loops in resource walks

Browse source 
Add checks for zero-length resource descriptors in all code that
loops through a resource descriptor list. This prevents possible
infinite loops because the length is used to increment the traveral
pointer and detect the end-of-descriptor.

Signed-off-by: Bob Moore <robert.moore@intel.com>
Signed-off-by: Lv Zheng <lv.zheng@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
This commit is contained in:
Bob Moore 2013-03-08 09:19:38 +00:00 committed by Rafael J. Wysocki
commit c13085e519
4 changed files with 29 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

6
drivers/acpi/acpica/rscalc.c
View file

@ -202,6 +202,12 @@ acpi_rs_get_aml_length(struct acpi_resource * resource, acpi_size * size_needed)
return_ACPI_STATUS(AE_AML_INVALID_RESOURCE_TYPE); return_ACPI_STATUS(AE_AML_INVALID_RESOURCE_TYPE);
} }
/* Sanity check the length. It must not be zero, or we loop forever */
if (!resource->length) {
return_ACPI_STATUS(AE_AML_BAD_RESOURCE_LENGTH);
}
/* Get the base size of the (external stream) resource descriptor */ /* Get the base size of the (external stream) resource descriptor */
total_size = acpi_gbl_aml_resource_sizes[resource->type]; total_size = acpi_gbl_aml_resource_sizes[resource->type];

8
drivers/acpi/acpica/rsdump.c
View file

@ -385,6 +385,14 @@ void acpi_rs_dump_resource_list(struct acpi_resource *resource_list)
return; return;
} }
/* Sanity check the length. It must not be zero, or we loop forever */
if (!resource_list->length) {
acpi_os_printf
("Invalid zero length descriptor in resource list\n");
return;
}
/* Dump the resource descriptor */ /* Dump the resource descriptor */
if (type == ACPI_RESOURCE_TYPE_SERIAL_BUS) { if (type == ACPI_RESOURCE_TYPE_SERIAL_BUS) {

8
drivers/acpi/acpica/rslist.c
View file

@ -178,6 +178,14 @@ acpi_rs_convert_resources_to_aml(struct acpi_resource *resource,
return_ACPI_STATUS(AE_BAD_DATA); return_ACPI_STATUS(AE_BAD_DATA);
} }
/* Sanity check the length. It must not be zero, or we loop forever */
if (!resource->length) {
ACPI_ERROR((AE_INFO,
"Invalid zero length descriptor in resource list\n"));
return_ACPI_STATUS(AE_AML_BAD_RESOURCE_LENGTH);
}
/* Perform the conversion */ /* Perform the conversion */
if (resource->type == ACPI_RESOURCE_TYPE_SERIAL_BUS) { if (resource->type == ACPI_RESOURCE_TYPE_SERIAL_BUS) {

8
drivers/acpi/acpica/rsxface.c
View file

@ -563,13 +563,19 @@ acpi_walk_resource_buffer(struct acpi_buffer * buffer,
while (resource < resource_end) { while (resource < resource_end) {
/* Sanity check the resource */ /* Sanity check the resource type */
if (resource->type > ACPI_RESOURCE_TYPE_MAX) { if (resource->type > ACPI_RESOURCE_TYPE_MAX) {
status = AE_AML_INVALID_RESOURCE_TYPE; status = AE_AML_INVALID_RESOURCE_TYPE;
break; break;
} }
/* Sanity check the length. It must not be zero, or we loop forever */
if (!resource->length) {
return_ACPI_STATUS(AE_AML_BAD_RESOURCE_LENGTH);
}
/* Invoke the user function, abort on any error returned */ /* Invoke the user function, abort on any error returned */
status = user_function(resource, context); status = user_function(resource, context);