From owner-svn-src-head@FreeBSD.ORG Mon Feb 14 17:52:24 2011 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from [127.0.0.1] (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by hub.freebsd.org (Postfix) with ESMTP id AED58106564A; Mon, 14 Feb 2011 17:52:23 +0000 (UTC) (envelope-from jkim@FreeBSD.org) From: Jung-uk Kim To: src-committers@FreeBSD.org Date: Mon, 14 Feb 2011 12:51:44 -0500 User-Agent: KMail/1.6.2 References: <201102141720.p1EHKKeU000451@svn.freebsd.org> In-Reply-To: <201102141720.p1EHKKeU000451@svn.freebsd.org> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <201102141252.06136.jkim@FreeBSD.org> Cc: svn-src-head@freebsd.org, Matthew D Fleming , svn-src-all@freebsd.org Subject: Re: svn commit: r218685 - head/sys/dev/acpica X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Feb 2011 17:52:25 -0000 On Monday 14 February 2011 12:20 pm, Matthew D Fleming wrote: > Author: mdf > Date: Mon Feb 14 17:20:20 2011 > New Revision: 218685 > URL: http://svn.freebsd.org/changeset/base/218685 > > Log: > Prevent reading from the ACPI_RESOURCE past its actual end. For > paranoia limit to the size of the ACPI_RESOURCE as well. > > Reviewd by: jhb (in spirit) > MFC after: 1 week > > Modified: > head/sys/dev/acpica/acpi_resource.c > > Modified: head/sys/dev/acpica/acpi_resource.c > =================================================================== >=========== --- head/sys/dev/acpica/acpi_resource.c Mon Feb 14 > 16:54:03 2011 (r218684) +++ head/sys/dev/acpica/acpi_resource.c Mon > Feb 14 17:20:20 2011 (r218685) @@ -60,6 +60,7 @@ static ACPI_STATUS > acpi_lookup_irq_handler(ACPI_RESOURCE *res, void *context) > { > struct lookup_irq_request *req; > + size_t len; > u_int irqnum, irq; > > switch (res->Type) { > @@ -82,7 +83,10 @@ acpi_lookup_irq_handler(ACPI_RESOURCE *r > req->found = 1; > KASSERT(irq == rman_get_start(req->res), > ("IRQ resources do not match")); > - bcopy(res, req->acpi_res, sizeof(ACPI_RESOURCE)); > + len = res->Length; > + if (len > sizeof(ACPI_RESOURCE)) > + len = sizeof(ACPI_RESOURCE); > + bcopy(res, req->acpi_res, len); > return (AE_CTRL_TERMINATE); > } > return (AE_OK); Hmm... I am not sure this is a correct fix. For most cases, directly using sizeof(ACPI_RESOURCE) is evil as it does not reflect actual size of underlying structure. With the same reason, sizeof(ACPI_RESOURCE_IRQ) and sizeof(ACPI_RESOURCE_EXTENDED_IRQ) is not recommended, either. A correct fix is to extend acpi_lookup_irq_resource() to allocate necessary space dynamically. Jung-uk Kim