[ patch ] improper handling of ACPI TCPA table,
acpidump abend imminent
John Baldwin
jhb at freebsd.org
Mon Jul 9 15:06:18 UTC 2012
On Sunday, July 08, 2012 7:54:40 am Dan Lukes wrote:
>
> >Submitter-Id: current-users
> >Originator: Dan Lukes
> >Organization: Obludarium
> >Confidential: no
> >Synopsis: [ patch ] improper handling of ACPI TCPA table, acpidump abend
imminent
> >Severity: serious
> >Priority: medium
> >Category: bin
> >Class: sw-bug
> >Release: FreeBSD 9.0 i386
> >Environment:
> System: FreeBSD 9.0
> src/usr.sbin/acpi/acpidump/acpi.c,v 1.42.2.1.2.1
>
> but apply for all revisions past 1.38 (e.g. all RELENG_9 and HEAD)
>
> >Description:
> TCG ACPI (TPCA) support added as SVN rev 211196
>
> 1. event->event_type and event->event_size are big-endian (see TPCA PC
Specific Specification, paragraph 7.2.2.2). Current code use them directly. It
cause misinterpretation of values and may cause abend.
>
> 2. 'if (vaddr + event->event_size >= vend )' test is insufficient because:
>
> 2a) event->event_size is declared signed and may be negative (especialy when
big-endian value used without proper conversion)
> 2b) vaddr+event->event_size may overflow / wrap around even in the case the
event_size is positive
>
> in both cases, memory outside of <vaddr,vend> range may be referenced. Abend
is imminent.
>
> >How-To-Repeat:
> Dump non-empty TCPA table. It will print events incorrectly, may abend.
>
> >Fix:
>
> 1. use ntohl() to convert event->event_size and event->event_type before use
> 2. test vaddr + eventdatasize for wraparound/underflow case also
It might be best to use betoh() macros from <sys/endian.h> instead of nthol().
--
John Baldwin
More information about the freebsd-acpi
mailing list