[SRU][Trusty][PATCH 1/1] x86/acpi: Prevent out of bound access caused by broken ACPI tables

[Colin Ian King]

On 10/07/18 18:28, Kleber Sacilotto de Souza wrote:
> From: Seunghun Han <kkamagui at gmail.com>
> 
> The bus_irq argument of mp_override_legacy_irq() is used as the index into
> the isa_irq_to_gsi[] array. The bus_irq argument originates from
> ACPI_MADT_TYPE_IO_APIC and ACPI_MADT_TYPE_INTERRUPT items in the ACPI
> tables, but is nowhere sanity checked.
> 
> That allows broken or malicious ACPI tables to overwrite memory, which
> might cause malfunction, panic or arbitrary code execution.
> 
> Add a sanity check and emit a warning when that triggers.
> 
> [ tglx: Added warning and rewrote changelog ]
> 
> Signed-off-by: Seunghun Han <kkamagui at gmail.com>
> Signed-off-by: Thomas Gleixner <tglx at linutronix.de>
> Cc: security at kernel.org
> Cc: "Rafael J. Wysocki" <rjw at rjwysocki.net>
> Cc: stable at vger.kernel.org
> Signed-off-by: Ingo Molnar <mingo at kernel.org>
> 
> CVE-2017-11473
> (cherry picked from commit dad5ab0db8deac535d03e3fe3d8f2892173fa6a4)
> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza at canonical.com>
> ---
>  arch/x86/kernel/acpi/boot.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/arch/x86/kernel/acpi/boot.c b/arch/x86/kernel/acpi/boot.c
> index 6c0b43bd024b..2c3cd05ba747 100644
> --- a/arch/x86/kernel/acpi/boot.c
> +++ b/arch/x86/kernel/acpi/boot.c
> @@ -918,6 +918,14 @@ void __init mp_override_legacy_irq(u8 bus_irq, u8 polarity, u8 trigger, u32 gsi)
>  	int pin;
>  	struct mpc_intsrc mp_irq;
>  
> +	/*
> +	 * Check bus_irq boundary.
> +	 */
> +	if (bus_irq >= NR_IRQS_LEGACY) {
> +		pr_warn("Invalid bus_irq %u for legacy override\n", bus_irq);
> +		return;
> +	}
> +
>  	/*
>  	 * Convert 'gsi' to 'ioapic.pin'.
>  	 */
> 

Eeek, can't believe there was no check on that before. Looks good,

Acked-by: Colin Ian King <colin.king at canonical.com>