From owner-freebsd-acpi@FreeBSD.ORG Mon Jul 9 15:06:18 2012 Return-Path: Delivered-To: freebsd-acpi@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 283C61065673; Mon, 9 Jul 2012 15:06:18 +0000 (UTC) (envelope-from jhb@freebsd.org) Received: from bigwig.baldwin.cx (bigknife-pt.tunnel.tserv9.chi1.ipv6.he.net [IPv6:2001:470:1f10:75::2]) by mx1.freebsd.org (Postfix) with ESMTP id F1A638FC08; Mon, 9 Jul 2012 15:06:17 +0000 (UTC) Received: from jhbbsd.localnet (unknown [209.249.190.124]) by bigwig.baldwin.cx (Postfix) with ESMTPSA id 63F23B99B; Mon, 9 Jul 2012 11:06:17 -0400 (EDT) From: John Baldwin To: freebsd-acpi@freebsd.org, Dan Lukes Date: Mon, 9 Jul 2012 08:45:19 -0400 User-Agent: KMail/1.13.5 (FreeBSD/8.2-CBSD-20110714-p17; KDE/4.5.5; amd64; ; ) References: <201207081154.q68BseNo002031@nb.obluda.cz> In-Reply-To: <201207081154.q68BseNo002031@nb.obluda.cz> MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-15" Content-Transfer-Encoding: 7bit Message-Id: <201207090845.19091.jhb@freebsd.org> X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (bigwig.baldwin.cx); Mon, 09 Jul 2012 11:06:17 -0400 (EDT) Cc: FreeBSD-gnats-submit@freebsd.org, Hans-Joerg_Hoexer@genua.de Subject: Re: [ patch ] improper handling of ACPI TCPA table, acpidump abend imminent X-BeenThere: freebsd-acpi@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: ACPI and power management development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jul 2012 15:06:18 -0000 On Sunday, July 08, 2012 7:54:40 am Dan Lukes wrote: > > >Submitter-Id: current-users > >Originator: Dan Lukes > >Organization: Obludarium > >Confidential: no > >Synopsis: [ patch ] improper handling of ACPI TCPA table, acpidump abend imminent > >Severity: serious > >Priority: medium > >Category: bin > >Class: sw-bug > >Release: FreeBSD 9.0 i386 > >Environment: > System: FreeBSD 9.0 > src/usr.sbin/acpi/acpidump/acpi.c,v 1.42.2.1.2.1 > > but apply for all revisions past 1.38 (e.g. all RELENG_9 and HEAD) > > >Description: > TCG ACPI (TPCA) support added as SVN rev 211196 > > 1. event->event_type and event->event_size are big-endian (see TPCA PC Specific Specification, paragraph 7.2.2.2). Current code use them directly. It cause misinterpretation of values and may cause abend. > > 2. 'if (vaddr + event->event_size >= vend )' test is insufficient because: > > 2a) event->event_size is declared signed and may be negative (especialy when big-endian value used without proper conversion) > 2b) vaddr+event->event_size may overflow / wrap around even in the case the event_size is positive > > in both cases, memory outside of range may be referenced. Abend is imminent. > > >How-To-Repeat: > Dump non-empty TCPA table. It will print events incorrectly, may abend. > > >Fix: > > 1. use ntohl() to convert event->event_size and event->event_type before use > 2. test vaddr + eventdatasize for wraparound/underflow case also It might be best to use betoh() macros from instead of nthol(). -- John Baldwin