[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] acpi: Fix out of bounds access in grub_acpi_xsdt_find_table(
|
From: |
Mate Kukri |
|
Subject: |
Re: [PATCH] acpi: Fix out of bounds access in grub_acpi_xsdt_find_table() |
|
Date: |
Wed, 16 Oct 2024 14:18:42 +0100 |
We have reverted the SPCR table patches in Debian due to crashes, I
guess this might have been the reason.
On Wed, Oct 16, 2024 at 6:20 AM Benjamin Herrenschmidt
<benh@kernel.crashing.org> wrote:
>
> The calculation of the size of the table was incorrect (copy/pasta from
> grub_acpi_rsdt_find_table() I assume...). The entries are 64-bit long.
>
> This causes us to access beyond the end of the table which is causing
> crashes during boot on some systems. Typically this is causing a crash
> on VMWare when using UEFI and enabling serial autodetection, as
>
> grub_acpi_find_table (GRUB_ACPI_SPCR_SIGNATURE);
>
> Will goes past the end of the table (the SPCR table doesn't exits)
>
> Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
> ---
> grub-core/kern/acpi.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/grub-core/kern/acpi.c b/grub-core/kern/acpi.c
> index 48ded4e2e..8ff0835d5 100644
> --- a/grub-core/kern/acpi.c
> +++ b/grub-core/kern/acpi.c
> @@ -75,7 +75,7 @@ grub_acpi_xsdt_find_table (struct
> grub_acpi_table_header *xsdt, const char *sig)
> return 0;
>
> ptr = (grub_unaligned_uint64_t *) (xsdt + 1);
> - s = (xsdt->length - sizeof (*xsdt)) / sizeof (grub_uint32_t);
> + s = (xsdt->length - sizeof (*xsdt)) / sizeof (grub_uint64_t);
> for (; s; s--, ptr++)
> {
> struct grub_acpi_table_header *tbl;
>