diff options
author | Ingo Molnar <mingo@kernel.org> | 2015-03-02 14:18:57 +0100 |
---|---|---|
committer | Ingo Molnar <mingo@kernel.org> | 2015-03-02 14:18:57 +0100 |
commit | be482d624c3112c761d429f314582850b62214b5 (patch) | |
tree | 7f90fd31eee17de9f71b398fa5a073ff401afffd /drivers/firmware | |
parent | a38ecbbd0be025a6ecbbfd22d2575a5b46317117 (diff) | |
parent | 6d9ff473317245e3e5cd9922b4520411c2296388 (diff) | |
download | lwn-be482d624c3112c761d429f314582850b62214b5.tar.gz lwn-be482d624c3112c761d429f314582850b62214b5.zip |
Merge tag 'efi-urgent' of git://git.kernel.org/pub/scm/linux/kernel/git/mfleming/efi into x86/urgent
Pull EFI fixes from Matt Fleming:
" - Fix regression in DMI sysfs code for handling "End of Table" entry
and a type bug that could lead to integer overflow. (Ivan Khoronzhuk)
- Fix boundary checking in efi_high_alloc() which can lead to memory
corruption in the EFI boot stubs. (Yinghai Lu)"
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Diffstat (limited to 'drivers/firmware')
-rw-r--r-- | drivers/firmware/dmi_scan.c | 17 | ||||
-rw-r--r-- | drivers/firmware/efi/libstub/efi-stub-helper.c | 8 |
2 files changed, 13 insertions, 12 deletions
diff --git a/drivers/firmware/dmi_scan.c b/drivers/firmware/dmi_scan.c index c5f7b4e9eb6c..69fac068669f 100644 --- a/drivers/firmware/dmi_scan.c +++ b/drivers/firmware/dmi_scan.c @@ -78,7 +78,7 @@ static const char * __init dmi_string(const struct dmi_header *dm, u8 s) * We have to be cautious here. We have seen BIOSes with DMI pointers * pointing to completely the wrong place for example */ -static void dmi_table(u8 *buf, int len, int num, +static void dmi_table(u8 *buf, u32 len, int num, void (*decode)(const struct dmi_header *, void *), void *private_data) { @@ -93,12 +93,6 @@ static void dmi_table(u8 *buf, int len, int num, const struct dmi_header *dm = (const struct dmi_header *)data; /* - * 7.45 End-of-Table (Type 127) [SMBIOS reference spec v3.0.0] - */ - if (dm->type == DMI_ENTRY_END_OF_TABLE) - break; - - /* * We want to know the total length (formatted area and * strings) before decoding to make sure we won't run off the * table in dmi_decode or dmi_string @@ -108,13 +102,20 @@ static void dmi_table(u8 *buf, int len, int num, data++; if (data - buf < len - 1) decode(dm, private_data); + + /* + * 7.45 End-of-Table (Type 127) [SMBIOS reference spec v3.0.0] + */ + if (dm->type == DMI_ENTRY_END_OF_TABLE) + break; + data += 2; i++; } } static phys_addr_t dmi_base; -static u16 dmi_len; +static u32 dmi_len; static u16 dmi_num; static int __init dmi_walk_early(void (*decode)(const struct dmi_header *, diff --git a/drivers/firmware/efi/libstub/efi-stub-helper.c b/drivers/firmware/efi/libstub/efi-stub-helper.c index 2fe195002021..f07d4a67fa76 100644 --- a/drivers/firmware/efi/libstub/efi-stub-helper.c +++ b/drivers/firmware/efi/libstub/efi-stub-helper.c @@ -179,12 +179,12 @@ again: start = desc->phys_addr; end = start + desc->num_pages * (1UL << EFI_PAGE_SHIFT); - if ((start + size) > end || (start + size) > max) - continue; - - if (end - size > max) + if (end > max) end = max; + if ((start + size) > end) + continue; + if (round_down(end - size, align) < start) continue; |