diff options
author | Justin M. Forbes <jforbes@fedoraproject.org> | 2017-07-21 09:24:12 -0500 |
---|---|---|
committer | Justin M. Forbes <jforbes@fedoraproject.org> | 2017-07-21 09:24:12 -0500 |
commit | 79d288fe2ca3c44527fda80420a5e5e15114557d (patch) | |
tree | 033a22a9d128c68c3ff6653058a3a5acb7079963 /CVE-2017-11473.patch | |
parent | cd872e7a3e9c22fca7caf782f798d2fd95383410 (diff) | |
download | kernel-79d288fe2ca3c44527fda80420a5e5e15114557d.tar.gz kernel-79d288fe2ca3c44527fda80420a5e5e15114557d.tar.xz kernel-79d288fe2ca3c44527fda80420a5e5e15114557d.zip |
Linux v4.12.3
Diffstat (limited to 'CVE-2017-11473.patch')
-rw-r--r-- | CVE-2017-11473.patch | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/CVE-2017-11473.patch b/CVE-2017-11473.patch new file mode 100644 index 000000000..e3e0658a4 --- /dev/null +++ b/CVE-2017-11473.patch @@ -0,0 +1,48 @@ +From 70ac67826602edf8c0ccb413e5ba7eacf597a60c Mon Sep 17 00:00:00 2001 +From: Seunghun Han <kkamagui@gmail.com> +Date: Tue, 18 Jul 2017 20:03:51 +0900 +Subject: x86/acpi: Prevent out of bound access caused by broken ACPI tables + +The bus_irq argument of mp_override_legacy_irq() is used as the index into +the isa_irq_to_gsi[] array. The bus_irq argument originates from +ACPI_MADT_TYPE_IO_APIC and ACPI_MADT_TYPE_INTERRUPT items in the ACPI +tables, but is nowhere sanity checked. + +That allows broken or malicious ACPI tables to overwrite memory, which +might cause malfunction, panic or arbitrary code execution. + +Add a sanity check and emit a warning when that triggers. + +[ tglx: Added warning and rewrote changelog ] + +Signed-off-by: Seunghun Han <kkamagui@gmail.com> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> +Cc: security@kernel.org +Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net> +Cc: stable@vger.kernel.org +--- + arch/x86/kernel/acpi/boot.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/arch/x86/kernel/acpi/boot.c b/arch/x86/kernel/acpi/boot.c +index 6bb6806..7491e73 100644 +--- a/arch/x86/kernel/acpi/boot.c ++++ b/arch/x86/kernel/acpi/boot.c +@@ -347,6 +347,14 @@ static void __init mp_override_legacy_irq(u8 bus_irq, u8 polarity, u8 trigger, + struct mpc_intsrc mp_irq; + + /* ++ * Check bus_irq boundary. ++ */ ++ if (bus_irq >= NR_IRQS_LEGACY) { ++ pr_warn("Invalid bus_irq %u for legacy override\n", bus_irq); ++ return; ++ } ++ ++ /* + * Convert 'gsi' to 'ioapic.pin'. + */ + ioapic = mp_find_ioapic(gsi); +-- +cgit v1.1 + |