mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-10-02 07:04:24 +00:00
* Fix regression in DMI sysfs code for handling "End of Table" entry
and a type bug that could lead to integer overflow - Ivan Khoronzhuk * Fix boundary checking in efi_high_alloc() which can lead to memory corruption in the EFI boot stubs - Yinghai Lu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAABAgAGBQJU9FtlAAoJEC84WcCNIz1VjfsP/jnZPtkSapSsFP9c7AfV/vpg i4PLGk+18QhXpNrCVC1U4sdx3y+zefqImrDNEv72BLX6YDb10RvtydxEy4Kg2aaE XzCRinHWu3+IEwv4fKAmNj2HORTl+jn79JDZ97jm1PN5sOxVcRG9e3QBg6aTVhHr MdTXRMAKHYD+ZX5hrCMrbFXi1dboxVsUb1zwMTbJcmPSVPWToqNKCruSwp29LNfP /2ZsJJSHgFP3tobk37JHDTHxjXaN/GUIwQC9cIWUQMPiwU3+WeOvROBPeKUTFNv7 kS4CXY5Q6eKz+pWYqG+FhbfHM71GTWPyFEJNeLtALg2DSKbgL6lJbtkrPpBVXrcU TeHlHnYTlqEpcMqHW3JtrVb0Of0/8X/9YfWjpmdxNcNbbp7KvzTtoBcP8MjGdbIq CztyB4clFsiyy1bEoGHFTVArzch5nn7sRCL3mYhTNQaeyN6TZc0wMXOFF/JU7N5a GCn9VO6T396L/7WdzG0B/Uo01xw11OS/R0jZVoDvtGfAregO+NU+yLunTEYaRtkC prxQ62Bu21EjLKJcdr/toFkEG8sT08XJnGTixRJnJlw+hmsK8WaigBrdpirXT5SV TDJJNyo6A/drfjcPoTI4lCR1CpPV3QXjCTmhh+K6tbvX5/npuWN/i4KJh54WuwT4 BKouS5gjrgYcHH/XJjsQ =GJnM -----END PGP SIGNATURE----- Merge tag 'efi-urgent' of git://git.kernel.org/pub/scm/linux/kernel/git/mfleming/efi into x86/urgent Pull EFI fixes from Matt Fleming: " - Fix regression in DMI sysfs code for handling "End of Table" entry and a type bug that could lead to integer overflow. (Ivan Khoronzhuk) - Fix boundary checking in efi_high_alloc() which can lead to memory corruption in the EFI boot stubs. (Yinghai Lu)" Signed-off-by: Ingo Molnar <mingo@kernel.org>
This commit is contained in:
commit
be482d624c
2 changed files with 13 additions and 12 deletions
|
@ -78,7 +78,7 @@ static const char * __init dmi_string(const struct dmi_header *dm, u8 s)
|
||||||
* We have to be cautious here. We have seen BIOSes with DMI pointers
|
* We have to be cautious here. We have seen BIOSes with DMI pointers
|
||||||
* pointing to completely the wrong place for example
|
* pointing to completely the wrong place for example
|
||||||
*/
|
*/
|
||||||
static void dmi_table(u8 *buf, int len, int num,
|
static void dmi_table(u8 *buf, u32 len, int num,
|
||||||
void (*decode)(const struct dmi_header *, void *),
|
void (*decode)(const struct dmi_header *, void *),
|
||||||
void *private_data)
|
void *private_data)
|
||||||
{
|
{
|
||||||
|
@ -92,12 +92,6 @@ static void dmi_table(u8 *buf, int len, int num,
|
||||||
while ((i < num) && (data - buf + sizeof(struct dmi_header)) <= len) {
|
while ((i < num) && (data - buf + sizeof(struct dmi_header)) <= len) {
|
||||||
const struct dmi_header *dm = (const struct dmi_header *)data;
|
const struct dmi_header *dm = (const struct dmi_header *)data;
|
||||||
|
|
||||||
/*
|
|
||||||
* 7.45 End-of-Table (Type 127) [SMBIOS reference spec v3.0.0]
|
|
||||||
*/
|
|
||||||
if (dm->type == DMI_ENTRY_END_OF_TABLE)
|
|
||||||
break;
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* We want to know the total length (formatted area and
|
* We want to know the total length (formatted area and
|
||||||
* strings) before decoding to make sure we won't run off the
|
* strings) before decoding to make sure we won't run off the
|
||||||
|
@ -108,13 +102,20 @@ static void dmi_table(u8 *buf, int len, int num,
|
||||||
data++;
|
data++;
|
||||||
if (data - buf < len - 1)
|
if (data - buf < len - 1)
|
||||||
decode(dm, private_data);
|
decode(dm, private_data);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* 7.45 End-of-Table (Type 127) [SMBIOS reference spec v3.0.0]
|
||||||
|
*/
|
||||||
|
if (dm->type == DMI_ENTRY_END_OF_TABLE)
|
||||||
|
break;
|
||||||
|
|
||||||
data += 2;
|
data += 2;
|
||||||
i++;
|
i++;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
static phys_addr_t dmi_base;
|
static phys_addr_t dmi_base;
|
||||||
static u16 dmi_len;
|
static u32 dmi_len;
|
||||||
static u16 dmi_num;
|
static u16 dmi_num;
|
||||||
|
|
||||||
static int __init dmi_walk_early(void (*decode)(const struct dmi_header *,
|
static int __init dmi_walk_early(void (*decode)(const struct dmi_header *,
|
||||||
|
|
|
@ -179,12 +179,12 @@ efi_status_t efi_high_alloc(efi_system_table_t *sys_table_arg,
|
||||||
start = desc->phys_addr;
|
start = desc->phys_addr;
|
||||||
end = start + desc->num_pages * (1UL << EFI_PAGE_SHIFT);
|
end = start + desc->num_pages * (1UL << EFI_PAGE_SHIFT);
|
||||||
|
|
||||||
if ((start + size) > end || (start + size) > max)
|
if (end > max)
|
||||||
continue;
|
|
||||||
|
|
||||||
if (end - size > max)
|
|
||||||
end = max;
|
end = max;
|
||||||
|
|
||||||
|
if ((start + size) > end)
|
||||||
|
continue;
|
||||||
|
|
||||||
if (round_down(end - size, align) < start)
|
if (round_down(end - size, align) < start)
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue