From: Ahmed Salem x0rw3ll@gmail.com
[ Upstream commit 64b9dfd0776e9c38d733094859a09f13282ce6f8 ]
ACPICA commit 8b83a8d88dfec59ea147fad35fc6deea8859c58c
ap_get_table_length() checks if tables are valid by calling ap_is_valid_header(). The latter then calls ACPI_VALIDATE_RSDP_SIG(Table->Signature).
ap_is_valid_header() accepts struct acpi_table_header as an argument, so the signature size is always fixed to 4 bytes.
The problem is when the string comparison is between ACPI-defined table signature and ACPI_SIG_RSDP. Common ACPI table header specifies the Signature field to be 4 bytes long[1], with the exception of the RSDP structure whose signature is 8 bytes long "RSD PTR " (including the trailing blank character)[2]. Calling strncmp(sig, rsdp_sig, 8) would then result in a sequence overread[3] as sig would be smaller (4 bytes) than the specified bound (8 bytes).
As a workaround, pass the bound conditionally based on the size of the signature being passed.
Link: https://uefi.org/specs/ACPI/6.5_A/05_ACPI_Software_Programming_Model.html#sy... [1] Link: https://uefi.org/specs/ACPI/6.5_A/05_ACPI_Software_Programming_Model.html#ro... [2] Link: https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html#index-Wstringop-over... [3] Link: https://github.com/acpica/acpica/commit/8b83a8d8 Signed-off-by: Ahmed Salem x0rw3ll@gmail.com Signed-off-by: Rafael J. Wysocki rafael.j.wysocki@intel.com Link: https://patch.msgid.link/2248233.Mh6RI2rZIc@rjwysocki.net Signed-off-by: Sasha Levin sashal@kernel.org ---
Now I understand the issue! Let me analyze the problem: **Analysis:** **YES** - This commit should be backported to stable kernel trees. ## Detailed Analysis: ### The Problem: The commit fixes a **buffer overread vulnerability** in the `ACPI_VALIDATE_RSDP_SIG` macro. The issue occurs when: 1. `ap_is_valid_header()` accepts a `struct acpi_table_header *table` parameter 2. `struct acpi_table_header` has a `signature` field that is only **4 bytes** (`char signature[ACPI_NAMESEG_SIZE]` where `ACPI_NAMESEG_SIZE = 4`) 3. The original `ACPI_VALIDATE_RSDP_SIG(a)` macro calls `strncmp(a, ACPI_SIG_RSDP, 8)` - comparing **8 bytes** 4. When `table->signature` (4 bytes) is passed to this macro, `strncmp` reads **beyond the bounds** of the signature field, causing a buffer overread ### The Fix: The new macro implementation: ```c #define ACPI_VALIDATE_RSDP_SIG(a) (!strncmp (ACPI_CAST_PTR (char, (a)), ACPI_SIG_RSDP, (sizeof(a) < 8) ? ACPI_NAMESEG_SIZE : 8)) ``` This intelligently chooses the comparison length: - If `sizeof(a) < 8`, it uses `ACPI_NAMESEG_SIZE` (4 bytes) - Otherwise, it uses the full 8 bytes for legitimate RSDP signatures ### Why This Should Be Backported: 1. **Security Issue**: This is a buffer overread that could potentially lead to information disclosure or memory corruption 2. **Minimal Risk**: The change is a small, surgical fix to a macro with clear logic 3. **Wide Impact**: The macro is used in multiple places including: - Kernel ACPI subsystem (`drivers/acpi/acpica/tbprint.c`, `tbxfroot.c`) - Boot code (`arch/x86/boot/compressed/acpi.c`) - ACPI tools (userspace tools) 4. **Compiler Warnings**: This likely fixes `-Wstringop-overread` compiler warnings, improving code quality 5. **No Functional Change**: The fix maintains the same intended behavior while preventing the overread 6. **Follows Stable Rules**: This is exactly the type of important bugfix that stable trees are meant to include ### Similar Commit Precedent: Similar commit #3 (Status: YES) shows that ACPI compilation warning fixes have been backported before, and this is a more serious issue (actual buffer overread vs. just truncation warnings). The fix addresses a real memory safety issue in a fundamental ACPI macro used throughout the kernel, making it an excellent candidate for stable backporting.
include/acpi/actypes.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/acpi/actypes.h b/include/acpi/actypes.h index 85c2dcf2b7048..0a24200852415 100644 --- a/include/acpi/actypes.h +++ b/include/acpi/actypes.h @@ -527,7 +527,7 @@ typedef u64 acpi_integer;
/* Support for the special RSDP signature (8 characters) */
-#define ACPI_VALIDATE_RSDP_SIG(a) (!strncmp (ACPI_CAST_PTR (char, (a)), ACPI_SIG_RSDP, 8)) +#define ACPI_VALIDATE_RSDP_SIG(a) (!strncmp (ACPI_CAST_PTR (char, (a)), ACPI_SIG_RSDP, (sizeof(a) < 8) ? ACPI_NAMESEG_SIZE : 8)) #define ACPI_MAKE_RSDP_SIG(dest) (memcpy (ACPI_CAST_PTR (char, (dest)), ACPI_SIG_RSDP, 8))
/* Support for OEMx signature (x can be any character) */