Merge remote-tracking branch 'origin/f25' into f25-user-thl-vanilla-fedorakernel-4.11.12-200.vanilla.knurd.1.fc25

1 files changed, 48 insertions, 0 deletions

diff --git a/CVE-2017-11473.patch b/CVE-2017-11473.patch
new file mode 100644
index 000000000..e3e0658a4
--- /dev/null
+++ b/CVE-2017-11473.patch
@@ -0,0 +1,48 @@
+From 70ac67826602edf8c0ccb413e5ba7eacf597a60c Mon Sep 17 00:00:00 2001
+From: Seunghun Han <kkamagui@gmail.com>
+Date: Tue, 18 Jul 2017 20:03:51 +0900
+Subject: x86/acpi: Prevent out of bound access caused by broken ACPI tables
+
+The bus_irq argument of mp_override_legacy_irq() is used as the index into
+the isa_irq_to_gsi[] array. The bus_irq argument originates from
+ACPI_MADT_TYPE_IO_APIC and ACPI_MADT_TYPE_INTERRUPT items in the ACPI
+tables, but is nowhere sanity checked.
+
+That allows broken or malicious ACPI tables to overwrite memory, which
+might cause malfunction, panic or arbitrary code execution.
+
+Add a sanity check and emit a warning when that triggers.
+
+[ tglx: Added warning and rewrote changelog ]
+
+Signed-off-by: Seunghun Han <kkamagui@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: security@kernel.org
+Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
+Cc: stable@vger.kernel.org
+---
+ arch/x86/kernel/acpi/boot.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/arch/x86/kernel/acpi/boot.c b/arch/x86/kernel/acpi/boot.c
+index 6bb6806..7491e73 100644
+--- a/arch/x86/kernel/acpi/boot.c
++++ b/arch/x86/kernel/acpi/boot.c
+@@ -347,6 +347,14 @@ static void __init mp_override_legacy_irq(u8 bus_irq, u8 polarity, u8 trigger,
+ 	struct mpc_intsrc mp_irq;
+ 
+ 	/*
++	 * Check bus_irq boundary.
++	 */
++	if (bus_irq >= NR_IRQS_LEGACY) {
++		pr_warn("Invalid bus_irq %u for legacy override\n", bus_irq);
++		return;
++	}
++
++	/*
+ 	 * Convert 'gsi' to 'ioapic.pin'.
+ 	 */
+ 	ioapic = mp_find_ioapic(gsi);
+-- 
+cgit v1.1
+