On Sunday, July 08, 2012 7:54:40 am Dan Lukes wrote: > > >Submitter-Id: current-users > >Originator: Dan Lukes > >Organization: Obludarium > >Confidential: no > >Synopsis: [ patch ] improper handling of ACPI TCPA table, acpidump abend imminent > >Severity: serious > >Priority: medium > >Category: bin > >Class: sw-bug > >Release: FreeBSD 9.0 i386 > >Environment: > System: FreeBSD 9.0 > src/usr.sbin/acpi/acpidump/acpi.c,v 1.42.2.1.2.1 > > but apply for all revisions past 1.38 (e.g. all RELENG_9 and HEAD) > > >Description: > TCG ACPI (TPCA) support added as SVN rev 211196 > > 1. event->event_type and event->event_size are big-endian (see TPCA PC Specific Specification, paragraph 7.2.2.2). Current code use them directly. It cause misinterpretation of values and may cause abend. > > 2. 'if (vaddr + event->event_size >= vend )' test is insufficient because: > > 2a) event->event_size is declared signed and may be negative (especialy when big-endian value used without proper conversion) > 2b) vaddr+event->event_size may overflow / wrap around even in the case the event_size is positive > > in both cases, memory outside of <vaddr,vend> range may be referenced. Abend is imminent. > > >How-To-Repeat: > Dump non-empty TCPA table. It will print events incorrectly, may abend. > > >Fix: > > 1. use ntohl() to convert event->event_size and event->event_type before use > 2. test vaddr + eventdatasize for wraparound/underflow case also
It might be best to use betoh() macros from <sys/endian.h> instead of nthol(). -- John Baldwin _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-acpi To unsubscribe, send any mail to "[email protected]"
