git: b7f6b86ee7e4 - stable/14 - gic_acpi: Limit the number of CPUs to GIC_MAXCPU
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 11 Oct 2023 15:44:30 UTC
The branch stable/14 has been updated by jhb:
URL: https://cgit.FreeBSD.org/src/commit/?id=b7f6b86ee7e49718ab8bf74f7a33fa8cda4d38dc
commit b7f6b86ee7e49718ab8bf74f7a33fa8cda4d38dc
Author: John Baldwin <jhb@FreeBSD.org>
AuthorDate: 2023-09-09 19:13:57 +0000
Commit: John Baldwin <jhb@FreeBSD.org>
CommitDate: 2023-10-11 15:10:32 +0000
gic_acpi: Limit the number of CPUs to GIC_MAXCPU
madt_table_data contains an array of pointers for each CPU and was
allocated on the stack. If MAXCPU is raised to a sufficiently large
value this can overflow the kernel stack. Cap the stack growth by
using GIC_MAXCPU instead as for other parts of the gicv1/v2 driver in
commit a0e20c0ded1a.
Suggested by: andrew
Reviewed by: andrew, emaste
Obtained from: CheriBSD
Sponsored by: DARPA
Differential Revision: https://reviews.freebsd.org/D41800
(cherry picked from commit d0af08c4ba3e400049d246d72401ce36d3bee98a)
---
sys/arm/arm/gic_acpi.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/sys/arm/arm/gic_acpi.c b/sys/arm/arm/gic_acpi.c
index e18bc12faf4d..56ff78f9b685 100644
--- a/sys/arm/arm/gic_acpi.c
+++ b/sys/arm/arm/gic_acpi.c
@@ -84,7 +84,7 @@ EARLY_DRIVER_MODULE(gic, acpi, gic_acpi_driver, 0, 0,
struct madt_table_data {
device_t parent;
ACPI_MADT_GENERIC_DISTRIBUTOR *dist;
- ACPI_MADT_GENERIC_INTERRUPT *intr[MAXCPU];
+ ACPI_MADT_GENERIC_INTERRUPT *intr[GIC_MAXCPU];
};
static void
@@ -107,7 +107,7 @@ madt_handler(ACPI_SUBTABLE_HEADER *entry, void *arg)
break;
case ACPI_MADT_TYPE_GENERIC_INTERRUPT:
intr = (ACPI_MADT_GENERIC_INTERRUPT *)entry;
- if (intr->CpuInterfaceNumber < MAXCPU)
+ if (intr->CpuInterfaceNumber < GIC_MAXCPU)
madt_data->intr[intr->CpuInterfaceNumber] = intr;
break;
}
@@ -151,7 +151,7 @@ gic_acpi_identify(driver_t *driver, device_t parent)
}
intr = NULL;
- for (i = 0; i < MAXCPU; i++) {
+ for (i = 0; i < GIC_MAXCPU; i++) {
if (madt_data.intr[i] != NULL) {
if (intr == NULL) {
intr = madt_data.intr[i];