evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_oneplus_msm8998/arch
History
Seunghun Han fa7ddee348 x86/acpi: Prevent out of bound access caused by broken ACPI tables 
commit dad5ab0db8deac535d03e3fe3d8f2892173fa6a4 upstream.

The bus_irq argument of mp_override_legacy_irq() is used as the index into
the isa_irq_to_gsi[] array. The bus_irq argument originates from
ACPI_MADT_TYPE_IO_APIC and ACPI_MADT_TYPE_INTERRUPT items in the ACPI
tables, but is nowhere sanity checked.

That allows broken or malicious ACPI tables to overwrite memory, which
might cause malfunction, panic or arbitrary code execution.

Add a sanity check and emit a warning when that triggers.

[ tglx: Added warning and rewrote changelog ]

Signed-off-by: Seunghun Han <kkamagui@gmail.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: security@kernel.org
Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-07-27 15:06:07 -07:00
..
alpha osf_wait4(): fix infoleak 2017-05-25 14:30:17 +02:00
arc mm: larger stack guard gap, between vmas 2017-06-26 07:13:11 +02:00
arm arm: move ELF_ET_DYN_BASE to 4MB 2017-07-21 07:44:57 +02:00
arm64 arm64: move ELF_ET_DYN_BASE to 4GB / 4MB 2017-07-21 07:44:57 +02:00
avr32 avr32: off by one in at32_init_pio() 2016-10-07 15:23:45 +02:00
blackfin net: smc91x: fix SMC accesses 2016-09-30 10:18:37 +02:00
c6x c6x/ptrace: Remove useless PTRACE_SETREGSET implementation 2017-03-31 09:49:53 +02:00
cris cris: Only build flash rescue image if CONFIG_ETRAX_AXISFLASHMAP is selected 2017-01-12 11:22:48 +01:00
frv mm: larger stack guard gap, between vmas 2017-06-26 07:13:11 +02:00
h8300 h8300/ptrace: Fix incorrect register transfer count 2017-03-31 09:49:53 +02:00
hexagon hexagon: fix strncpy_from_user() error return 2016-09-24 10:07:44 +02:00
ia64 ia64: copy_from_user() should zero the destination on access_ok() failure 2016-09-24 10:07:46 +02:00
m32r m32r: fix __get_user() 2016-09-24 10:07:43 +02:00
m68k m68k: Fix ndelay() macro 2016-12-15 08:49:23 -08:00
metag metag/uaccess: Check access_ok in strncpy_from_user 2017-05-25 14:30:16 +02:00
microblaze microblaze: fix copy_from_user() 2016-09-24 10:07:43 +02:00
mips MIPS: Negate error syscall return in trace 2017-07-27 15:06:07 -07:00
mn10300 mn10300: copy_from_user() should zero on access_ok() failure... 2016-09-24 10:07:45 +02:00
nios2 nios2: reserve boot memory for device tree 2017-04-12 12:38:34 +02:00
openrisc openrisc: fix the fix of copy_from_user() 2016-09-24 10:07:46 +02:00
parisc parisc/mm: Ensure IRQs are off in switch_mm() 2017-07-21 07:44:56 +02:00
powerpc powerpc/asm: Mark cr0 as clobbered in mftb() 2017-07-27 15:06:05 -07:00
s390 s390/syscalls: Fix out of bounds arguments access 2017-07-27 15:06:06 -07:00
score score: fix copy_from_user() and friends 2016-09-24 10:07:44 +02:00
sh mm: larger stack guard gap, between vmas 2017-06-26 07:13:11 +02:00
sparc mm: larger stack guard gap, between vmas 2017-06-26 07:13:11 +02:00
tile mm: larger stack guard gap, between vmas 2017-06-26 07:13:11 +02:00
um um: Don't discard .text.exit section 2016-09-07 08:32:38 +02:00
unicore32 pwm: Changes for v4.4-rc1 2015-11-11 09:16:10 -08:00
x86 x86/acpi: Prevent out of bound access caused by broken ACPI tables 2017-07-27 15:06:07 -07:00
xtensa mm: larger stack guard gap, between vmas 2017-06-26 07:13:11 +02:00
.gitignore
Kconfig