Date: Mon, 14 Feb 2011 12:51:44 -0500 From: Jung-uk Kim <jkim@FreeBSD.org> To: src-committers@FreeBSD.org Cc: svn-src-head@freebsd.org, Matthew D Fleming <mdf@freebsd.org>, svn-src-all@freebsd.org Subject: Re: svn commit: r218685 - head/sys/dev/acpica Message-ID: <201102141252.06136.jkim@FreeBSD.org> In-Reply-To: <201102141720.p1EHKKeU000451@svn.freebsd.org> References: <201102141720.p1EHKKeU000451@svn.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Monday 14 February 2011 12:20 pm, Matthew D Fleming wrote: > Author: mdf > Date: Mon Feb 14 17:20:20 2011 > New Revision: 218685 > URL: http://svn.freebsd.org/changeset/base/218685 > > Log: > Prevent reading from the ACPI_RESOURCE past its actual end. For > paranoia limit to the size of the ACPI_RESOURCE as well. > > Reviewd by: jhb (in spirit) > MFC after: 1 week > > Modified: > head/sys/dev/acpica/acpi_resource.c > > Modified: head/sys/dev/acpica/acpi_resource.c > =================================================================== >=========== --- head/sys/dev/acpica/acpi_resource.c Mon Feb 14 > 16:54:03 2011 (r218684) +++ head/sys/dev/acpica/acpi_resource.c Mon > Feb 14 17:20:20 2011 (r218685) @@ -60,6 +60,7 @@ static ACPI_STATUS > acpi_lookup_irq_handler(ACPI_RESOURCE *res, void *context) > { > struct lookup_irq_request *req; > + size_t len; > u_int irqnum, irq; > > switch (res->Type) { > @@ -82,7 +83,10 @@ acpi_lookup_irq_handler(ACPI_RESOURCE *r > req->found = 1; > KASSERT(irq == rman_get_start(req->res), > ("IRQ resources do not match")); > - bcopy(res, req->acpi_res, sizeof(ACPI_RESOURCE)); > + len = res->Length; > + if (len > sizeof(ACPI_RESOURCE)) > + len = sizeof(ACPI_RESOURCE); > + bcopy(res, req->acpi_res, len); > return (AE_CTRL_TERMINATE); > } > return (AE_OK); Hmm... I am not sure this is a correct fix. For most cases, directly using sizeof(ACPI_RESOURCE) is evil as it does not reflect actual size of underlying structure. With the same reason, sizeof(ACPI_RESOURCE_IRQ) and sizeof(ACPI_RESOURCE_EXTENDED_IRQ) is not recommended, either. A correct fix is to extend acpi_lookup_irq_resource() to allocate necessary space dynamically. Jung-uk Kim
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201102141252.06136.jkim>