ACPICA: Revert "ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine."
[ Upstream commit a83e1385b780d41307433ddbc86e3c528db031f0 ] Undo the modifications made in commitd410ee5109
("ACPICA: avoid "Info: mapping multiple BARs. Your kernel is fine.""). The initial purpose of this commit was to stop memory mappings for operation regions from overlapping page boundaries, as it can trigger warnings if different page attributes are present. However, it was found that when this situation arises, mapping continues until the boundary's end, but there is still an attempt to read/write the entire length of the map, leading to a NULL pointer deference. For example, if a four-byte mapping request is made but only one byte is mapped because it hits the current page boundary's end, a four-byte read/write attempt is still made, resulting in a NULL pointer deference. Instead, map the entire length, as the ACPI specification does not mandate that it must be within the same page boundary. It is permissible for it to be mapped across different regions. This fixes CVE-2024-40984 Link: https://github.com/acpica/acpica/pull/954 Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218849 Fixes:d410ee5109
("ACPICA: avoid "Info: mapping multiple BARs. Your kernel is fine."") Co-developed-by: Sanath S <Sanath.S@amd.com> Signed-off-by: Sanath S <Sanath.S@amd.com> Signed-off-by: Raju Rangoju <Raju.Rangoju@amd.com> Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Huang Cun <cunhuang@tencent.com> Signed-off-by: Jianping Liu <frankjpliu@tencent.com>
This commit is contained in:
parent
4ea55be1d9
commit
e5a6af703f
|
@ -43,7 +43,6 @@ acpi_ex_system_memory_space_handler(u32 function,
|
|||
struct acpi_mem_space_context *mem_info = region_context;
|
||||
u32 length;
|
||||
acpi_size map_length;
|
||||
acpi_size page_boundary_map_length;
|
||||
#ifdef ACPI_MISALIGNMENT_NOT_SUPPORTED
|
||||
u32 remainder;
|
||||
#endif
|
||||
|
@ -120,26 +119,8 @@ acpi_ex_system_memory_space_handler(u32 function,
|
|||
map_length = (acpi_size)
|
||||
((mem_info->address + mem_info->length) - address);
|
||||
|
||||
/*
|
||||
* If mapping the entire remaining portion of the region will cross
|
||||
* a page boundary, just map up to the page boundary, do not cross.
|
||||
* On some systems, crossing a page boundary while mapping regions
|
||||
* can cause warnings if the pages have different attributes
|
||||
* due to resource management.
|
||||
*
|
||||
* This has the added benefit of constraining a single mapping to
|
||||
* one page, which is similar to the original code that used a 4k
|
||||
* maximum window.
|
||||
*/
|
||||
page_boundary_map_length = (acpi_size)
|
||||
(ACPI_ROUND_UP(address, ACPI_DEFAULT_PAGE_SIZE) - address);
|
||||
if (page_boundary_map_length == 0) {
|
||||
page_boundary_map_length = ACPI_DEFAULT_PAGE_SIZE;
|
||||
}
|
||||
|
||||
if (map_length > page_boundary_map_length) {
|
||||
map_length = page_boundary_map_length;
|
||||
}
|
||||
if (map_length > ACPI_DEFAULT_PAGE_SIZE)
|
||||
map_length = ACPI_DEFAULT_PAGE_SIZE;
|
||||
|
||||
/* Create a new mapping starting at the address given */
|
||||
|
||||
|
|
Loading…
Reference in New Issue