• Robert Richter's avatar
    lib/firmware_table: Provide buffer length argument to cdat_table_parse() · c6c3187d
    Robert Richter authored
    There exist card implementations with a CDAT table using a fixed size
    buffer, but with entries filled in that do not fill the whole table
    length size. Then, the last entry in the CDAT table may not mark the
    end of the CDAT table buffer specified by the length field in the CDAT
    header. It can be shorter with trailing unused (zero'ed) data. The
    actual table length is determined while reading all CDAT entries of
    the table with DOE.
    
    If the table is greater than expected (containing zero'ed trailing
    data), the CDAT parser fails with:
    
     [   48.691717] Malformed DSMAS table length: (24:0)
     [   48.702084] [CDAT:0x00] Invalid zero length
     [   48.711460] cxl_port endpoint1: Failed to parse CDAT: -22
    
    In addition, a check of the table buffer length is missing to prevent
    an out-of-bound access then parsing the CDAT table.
    
    Hardening code against device returning borked table. Fix that by
    providing an optional buffer length argument to
    acpi_parse_entries_array() that can be used by cdat_table_parse() to
    propagate the buffer size down to its users to check the buffer
    length. This also prevents a possible out-of-bound access mentioned.
    
    Add a check to warn about a malformed CDAT table length.
    
    Cc: Rafael J. Wysocki <rafael@kernel.org>
    Cc: Len Brown <lenb@kernel.org>
    Reviewed-by: default avatarDave Jiang <dave.jiang@intel.com>
    Signed-off-by: default avatarRobert Richter <rrichter@amd.com>
    Reviewed-by: default avatarJonathan Cameron <Jonathan.Cameron@huawei.com>
    Link: https://lore.kernel.org/r/ZdEnopFO0Tl3t2O1@rric.localdomainSigned-off-by: default avatarDan Williams <dan.j.williams@intel.com>
    c6c3187d
fw_table.c 6.1 KB