svn commit: r218685 - head/sys/dev/acpica
Jung-uk Kim
jkim at FreeBSD.org
Mon Feb 14 17:52:25 UTC 2011
On Monday 14 February 2011 12:20 pm, Matthew D Fleming wrote:
> Author: mdf
> Date: Mon Feb 14 17:20:20 2011
> New Revision: 218685
> URL: http://svn.freebsd.org/changeset/base/218685
>
> Log:
> Prevent reading from the ACPI_RESOURCE past its actual end. For
> paranoia limit to the size of the ACPI_RESOURCE as well.
>
> Reviewd by: jhb (in spirit)
> MFC after: 1 week
>
> Modified:
> head/sys/dev/acpica/acpi_resource.c
>
> Modified: head/sys/dev/acpica/acpi_resource.c
> ===================================================================
>=========== --- head/sys/dev/acpica/acpi_resource.c Mon Feb 14
> 16:54:03 2011 (r218684) +++ head/sys/dev/acpica/acpi_resource.c Mon
> Feb 14 17:20:20 2011 (r218685) @@ -60,6 +60,7 @@ static ACPI_STATUS
> acpi_lookup_irq_handler(ACPI_RESOURCE *res, void *context)
> {
> struct lookup_irq_request *req;
> + size_t len;
> u_int irqnum, irq;
>
> switch (res->Type) {
> @@ -82,7 +83,10 @@ acpi_lookup_irq_handler(ACPI_RESOURCE *r
> req->found = 1;
> KASSERT(irq == rman_get_start(req->res),
> ("IRQ resources do not match"));
> - bcopy(res, req->acpi_res, sizeof(ACPI_RESOURCE));
> + len = res->Length;
> + if (len > sizeof(ACPI_RESOURCE))
> + len = sizeof(ACPI_RESOURCE);
> + bcopy(res, req->acpi_res, len);
> return (AE_CTRL_TERMINATE);
> }
> return (AE_OK);
Hmm... I am not sure this is a correct fix. For most cases, directly
using sizeof(ACPI_RESOURCE) is evil as it does not reflect actual
size of underlying structure. With the same reason,
sizeof(ACPI_RESOURCE_IRQ) and sizeof(ACPI_RESOURCE_EXTENDED_IRQ) is
not recommended, either. A correct fix is to extend
acpi_lookup_irq_resource() to allocate necessary space dynamically.
Jung-uk Kim
More information about the svn-src-head
mailing list