Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 14 Feb 2011 12:51:44 -0500
From:      Jung-uk Kim <jkim@FreeBSD.org>
To:        src-committers@FreeBSD.org
Cc:        svn-src-head@freebsd.org, Matthew D Fleming <mdf@freebsd.org>, svn-src-all@freebsd.org
Subject:   Re: svn commit: r218685 - head/sys/dev/acpica
Message-ID:  <201102141252.06136.jkim@FreeBSD.org>
In-Reply-To: <201102141720.p1EHKKeU000451@svn.freebsd.org>
References:  <201102141720.p1EHKKeU000451@svn.freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Monday 14 February 2011 12:20 pm, Matthew D Fleming wrote:
> Author: mdf
> Date: Mon Feb 14 17:20:20 2011
> New Revision: 218685
> URL: http://svn.freebsd.org/changeset/base/218685
>
> Log:
>   Prevent reading from the ACPI_RESOURCE past its actual end.  For
>   paranoia limit to the size of the ACPI_RESOURCE as well.
>
>   Reviewd by:	jhb (in spirit)
>   MFC after:	1 week
>
> Modified:
>   head/sys/dev/acpica/acpi_resource.c
>
> Modified: head/sys/dev/acpica/acpi_resource.c
> ===================================================================
>=========== --- head/sys/dev/acpica/acpi_resource.c	Mon Feb 14
> 16:54:03 2011	(r218684) +++ head/sys/dev/acpica/acpi_resource.c	Mon
> Feb 14 17:20:20 2011	(r218685) @@ -60,6 +60,7 @@ static ACPI_STATUS
>  acpi_lookup_irq_handler(ACPI_RESOURCE *res, void *context)
>  {
>      struct lookup_irq_request *req;
> +    size_t len;
>      u_int irqnum, irq;
>
>      switch (res->Type) {
> @@ -82,7 +83,10 @@ acpi_lookup_irq_handler(ACPI_RESOURCE *r
>  	req->found = 1;
>  	KASSERT(irq == rman_get_start(req->res),
>  	    ("IRQ resources do not match"));
> -	bcopy(res, req->acpi_res, sizeof(ACPI_RESOURCE));
> +	len = res->Length;
> +	if (len > sizeof(ACPI_RESOURCE))
> +		len = sizeof(ACPI_RESOURCE);
> +	bcopy(res, req->acpi_res, len);
>  	return (AE_CTRL_TERMINATE);
>      }
>      return (AE_OK);

Hmm...  I am not sure this is a correct fix.  For most cases, directly 
using sizeof(ACPI_RESOURCE) is evil as it does not reflect actual 
size of underlying structure.  With the same reason, 
sizeof(ACPI_RESOURCE_IRQ) and sizeof(ACPI_RESOURCE_EXTENDED_IRQ) is 
not recommended, either.  A correct fix is to extend 
acpi_lookup_irq_resource() to allocate necessary space dynamically.

Jung-uk Kim



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201102141252.06136.jkim>