Module Name: src
Committed By: snj
Date: Sun Apr 8 06:06:07 UTC 2018
Modified Files:
src/sys/dev/acpi [netbsd-8]: acpi_mcfg.c
Log Message:
Pull up following revision(s) (requested by nonaka in ticket #700):
sys/dev/acpi/acpi_mcfg.c: 1.6
Change the iteration, to make sure the ACPI_MCFG_ALLOCATION structure we're
reading fits the table we allocated. Linux does the same.
I have a laptop which, for some reason, reports a table size of 62 bytes.
Clearly that's incorrect, it should be 60 (44 + 16). Because of the stray
+2, here the kernel reads past the end of the allocated buffer, hits an
unmapped VA, and panics at boot time. So the laptop can't boot.
Now it boots fine.
To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.4.10.1 src/sys/dev/acpi/acpi_mcfg.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dev/acpi/acpi_mcfg.c
diff -u src/sys/dev/acpi/acpi_mcfg.c:1.4 src/sys/dev/acpi/acpi_mcfg.c:1.4.10.1
--- src/sys/dev/acpi/acpi_mcfg.c:1.4 Tue Jul 12 09:45:34 2016
+++ src/sys/dev/acpi/acpi_mcfg.c Sun Apr 8 06:06:07 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: acpi_mcfg.c,v 1.4 2016/07/12 09:45:34 hannken Exp $ */
+/* $NetBSD: acpi_mcfg.c,v 1.4.10.1 2018/04/08 06:06:07 snj Exp $ */
/*-
* Copyright (C) 2015 NONAKA Kimihiro <non...@netbsd.org>
@@ -26,7 +26,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: acpi_mcfg.c,v 1.4 2016/07/12 09:45:34 hannken Exp $");
+__KERNEL_RCSID(0, "$NetBSD: acpi_mcfg.c,v 1.4.10.1 2018/04/08 06:06:07 snj Exp $");
#include <sys/param.h>
#include <sys/device.h>
@@ -287,7 +287,8 @@ acpimcfg_probe(struct acpi_softc *sc)
nsegs = 0;
offset = sizeof(ACPI_TABLE_MCFG);
ama = ACPI_ADD_PTR(ACPI_MCFG_ALLOCATION, mcfg, offset);
- for (i = 0; offset < mcfg->Header.Length; i++) {
+ for (i = 0; offset + sizeof(ACPI_MCFG_ALLOCATION) <=
+ mcfg->Header.Length; i++) {
aprint_debug_dev(sc->sc_dev,
"MCFG: segment %d, bus %d-%d, address 0x%016" PRIx64 "\n",
ama->PciSegment, ama->StartBusNumber, ama->EndBusNumber,
