Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c13085e5 authored by Bob Moore's avatar Bob Moore Committed by Rafael J. Wysocki
Browse files

ACPICA: Resource Mgr: Prevent infinite loops in resource walks 



Add checks for zero-length resource descriptors in all code that
loops through a resource descriptor list. This prevents possible
infinite loops because the length is used to increment the traveral
pointer and detect the end-of-descriptor.

Signed-off-by: default avatarBob Moore <robert.moore@intel.com>
Signed-off-by: default avatarLv Zheng <lv.zheng@intel.com>
Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
parent f6161aa1

drivers/acpi/acpica/rscalc.c

+6 −0
Original line number Diff line number Diff line
@@ -202,6 +202,12 @@ acpi_rs_get_aml_length(struct acpi_resource * resource, acpi_size * size_needed) 
			return_ACPI_STATUS(AE_AML_INVALID_RESOURCE_TYPE);

		}



		/* Sanity check the length. It must not be zero, or we loop forever */



		if (!resource->length) {

			return_ACPI_STATUS(AE_AML_BAD_RESOURCE_LENGTH);

		}



		/* Get the base size of the (external stream) resource descriptor */



		total_size = acpi_gbl_aml_resource_sizes[resource->type];

drivers/acpi/acpica/rsdump.c

+8 −0
Original line number Diff line number Diff line
@@ -385,6 +385,14 @@ void acpi_rs_dump_resource_list(struct acpi_resource *resource_list) 
			return;

		}



		/* Sanity check the length. It must not be zero, or we loop forever */



		if (!resource_list->length) {

			acpi_os_printf

			    ("Invalid zero length descriptor in resource list\n");

			return;

		}



		/* Dump the resource descriptor */



		if (type == ACPI_RESOURCE_TYPE_SERIAL_BUS) {

drivers/acpi/acpica/rslist.c

+8 −0
Original line number Diff line number Diff line
@@ -178,6 +178,14 @@ acpi_rs_convert_resources_to_aml(struct acpi_resource *resource, 
			return_ACPI_STATUS(AE_BAD_DATA);

		}



		/* Sanity check the length. It must not be zero, or we loop forever */



		if (!resource->length) {

			ACPI_ERROR((AE_INFO,

				    "Invalid zero length descriptor in resource list\n"));

			return_ACPI_STATUS(AE_AML_BAD_RESOURCE_LENGTH);

		}



		/* Perform the conversion */



		if (resource->type == ACPI_RESOURCE_TYPE_SERIAL_BUS) {

drivers/acpi/acpica/rsxface.c

+7 −1
Original line number Diff line number Diff line
@@ -563,13 +563,19 @@ acpi_walk_resource_buffer(struct acpi_buffer * buffer, 


	while (resource < resource_end) {



		/* Sanity check the resource */

		/* Sanity check the resource type */



		if (resource->type > ACPI_RESOURCE_TYPE_MAX) {

			status = AE_AML_INVALID_RESOURCE_TYPE;

			break;

		}



		/* Sanity check the length. It must not be zero, or we loop forever */



		if (!resource->length) {

			return_ACPI_STATUS(AE_AML_BAD_RESOURCE_LENGTH);

		}



		/* Invoke the user function, abort on any error returned */



		status = user_function(resource, context);