Home Explore Help
Register Sign In
phyus
/
linux-vybrid_public
8
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

ACPICA: Resource Mgr: Prevent infinite loops in resource walks

Add checks for zero-length resource descriptors in all code that
loops through a resource descriptor list. This prevents possible
infinite loops because the length is used to increment the traveral
pointer and detect the end-of-descriptor.

Signed-off-by: Bob Moore <robert.moore@intel.com>
Signed-off-by: Lv Zheng <lv.zheng@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Bob Moore 12 years ago
parent
f6161aa153
commit
c13085e519
4 changed files with 29 additions and 1 deletions
Split View Show Diff Stats
  1. 6 0
      drivers/acpi/acpica/rscalc.c
  2. 8 0
      drivers/acpi/acpica/rsdump.c
  3. 8 0
      drivers/acpi/acpica/rslist.c
  4. 7 1
      drivers/acpi/acpica/rsxface.c

+ 6 - 0
drivers/acpi/acpica/rscalc.c
View File 

@@ -202,6 +202,12 @@ acpi_rs_get_aml_length(struct acpi_resource * resource, acpi_size * size_needed)
 
 			return_ACPI_STATUS(AE_AML_INVALID_RESOURCE_TYPE);
 
 		}
 
 
+		/* Sanity check the length. It must not be zero, or we loop forever */
 
+
 
+		if (!resource->length) {
 
+			return_ACPI_STATUS(AE_AML_BAD_RESOURCE_LENGTH);
 
+		}
 
+
 
 		/* Get the base size of the (external stream) resource descriptor */
 
 
 		total_size = acpi_gbl_aml_resource_sizes[resource->type];

+ 8 - 0
drivers/acpi/acpica/rsdump.c
View File 

@@ -385,6 +385,14 @@ void acpi_rs_dump_resource_list(struct acpi_resource *resource_list)
 
 			return;
 
 		}
 
 
+		/* Sanity check the length. It must not be zero, or we loop forever */
 
+
 
+		if (!resource_list->length) {
 
+			acpi_os_printf
 
+			    ("Invalid zero length descriptor in resource list\n");
 
+			return;
 
+		}
 
+
 
 		/* Dump the resource descriptor */
 
 
 		if (type == ACPI_RESOURCE_TYPE_SERIAL_BUS) {

+ 8 - 0
drivers/acpi/acpica/rslist.c
View File 

@@ -178,6 +178,14 @@ acpi_rs_convert_resources_to_aml(struct acpi_resource *resource,
 
 			return_ACPI_STATUS(AE_BAD_DATA);
 
 		}
 
 
+		/* Sanity check the length. It must not be zero, or we loop forever */
 
+
 
+		if (!resource->length) {
 
+			ACPI_ERROR((AE_INFO,
 
+				    "Invalid zero length descriptor in resource list\n"));
 
+			return_ACPI_STATUS(AE_AML_BAD_RESOURCE_LENGTH);
 
+		}
 
+
 
 		/* Perform the conversion */
 
 
 		if (resource->type == ACPI_RESOURCE_TYPE_SERIAL_BUS) {

+ 7 - 1
drivers/acpi/acpica/rsxface.c
View File 

@@ -563,13 +563,19 @@ acpi_walk_resource_buffer(struct acpi_buffer * buffer,
 
 
 	while (resource < resource_end) {
 
 
-		/* Sanity check the resource */
 
+		/* Sanity check the resource type */
 
 
 		if (resource->type > ACPI_RESOURCE_TYPE_MAX) {
 
 			status = AE_AML_INVALID_RESOURCE_TYPE;
 
 			break;
 
 		}
 
 
+		/* Sanity check the length. It must not be zero, or we loop forever */
 
+
 
+		if (!resource->length) {
 
+			return_ACPI_STATUS(AE_AML_BAD_RESOURCE_LENGTH);
 
+		}
 
+
 
 		/* Invoke the user function, abort on any error returned */
 
 
 		status = user_function(resource, context);