Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 9 Jul 2012 08:45:19 -0400
From:      John Baldwin <jhb@freebsd.org>
To:        freebsd-acpi@freebsd.org, Dan Lukes <dan@obluda.cz>
Cc:        FreeBSD-gnats-submit@freebsd.org, Hans-Joerg_Hoexer@genua.de
Subject:   Re: [ patch ] improper handling of ACPI TCPA table, acpidump abend imminent
Message-ID:  <201207090845.19091.jhb@freebsd.org>
In-Reply-To: <201207081154.q68BseNo002031@nb.obluda.cz>
References:  <201207081154.q68BseNo002031@nb.obluda.cz>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sunday, July 08, 2012 7:54:40 am Dan Lukes wrote:
> 
> >Submitter-Id:	current-users
> >Originator:	Dan Lukes
> >Organization:	Obludarium
> >Confidential:	no 
> >Synopsis:	[ patch ] improper handling of ACPI TCPA table, acpidump abend 
imminent
> >Severity:	serious
> >Priority:	medium
> >Category:	bin
> >Class:		sw-bug
> >Release:	FreeBSD 9.0 i386
> >Environment:
> System: FreeBSD 9.0
> src/usr.sbin/acpi/acpidump/acpi.c,v 1.42.2.1.2.1
> 
> but apply for all revisions past 1.38 (e.g. all RELENG_9 and HEAD)
> 
> >Description:
> 	TCG ACPI (TPCA) support added as SVN rev 211196
> 
> 1. event->event_type and event->event_size are big-endian (see TPCA PC 
Specific Specification, paragraph 7.2.2.2). Current code use them directly. It 
cause misinterpretation of values and may cause abend.
> 
> 2. 'if (vaddr + event->event_size >= vend )' test is insufficient because:
> 
> 2a) event->event_size is declared signed and may be negative (especialy when 
big-endian value used without proper conversion)
> 2b) vaddr+event->event_size may overflow / wrap around even in the case the 
event_size is positive
> 
> in both cases, memory outside of <vaddr,vend> range may be referenced. Abend 
is imminent.
> 
> >How-To-Repeat:
> Dump non-empty TCPA table. It will print events incorrectly, may abend.
> 
> >Fix:
> 
> 1. use ntohl() to convert event->event_size and event->event_type before use
> 2. test vaddr + eventdatasize for wraparound/underflow case also 

It might be best to use betoh() macros from <sys/endian.h> instead of nthol().

-- 
John Baldwin

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201207090845.19091.jhb>