ACPICA: Avoid subobject buffer overflow when validating RSDP signature
ACPICA commit 6bb72909c1e3d415aee214104a01bc9834b2d4ce Since the Signature member is accessed through an struct acpi_table_header, the pointer to it is only to a 4-char array, and so trying to read past the 4th character, as will be done when it is an RSDP, reads beyond the bounds of the accessed member. On CHERI, and thus Arm's experimental Morello prototype architecture, pointers are represented as capabilities, which are unforgeable bounded pointers, providing always-on fine-grained spatial memory safety. By default, subobject bounds enforcement is not enabled, only bounds on allocations, but it is enabled in the cheri_BSD (a port of free_BSD) kernel as intra-object overflow attacks are common on operating system kernels, and so this overflow is detected there and traps. Link: https://github.com/acpica/acpica/commit/6bb72909 Signed-off-by: Bob Moore <robert.moore@intel.com> Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
This commit is contained in:
parent
339651be37
commit
a3e525feae
|
@ -101,7 +101,8 @@ acpi_tb_print_table_header(acpi_physical_address address,
|
|||
ACPI_INFO(("%-4.4s 0x%8.8X%8.8X %06X",
|
||||
header->signature, ACPI_FORMAT_UINT64(address),
|
||||
header->length));
|
||||
} else if (ACPI_VALIDATE_RSDP_SIG(header->signature)) {
|
||||
} else if (ACPI_VALIDATE_RSDP_SIG(ACPI_CAST_PTR(struct acpi_table_rsdp,
|
||||
header)->signature)) {
|
||||
|
||||
/* RSDP has no common fields */
|
||||
|
||||
|
|
Loading…
Reference in New Issue