On Thursday, December 14, 2017 1:31:16 PM CET Takashi Iwai wrote:
> The commit f6f828513290 ("pstore: pass allocated memory region back to
> caller") changed the check of the return value from erst_read() in
> erst_reader() in the following way:
>
> if (len == -ENOENT)
> goto skip;
> - else if (len < 0) {
> - rc = -1;
> + else if (len < sizeof(*rcd)) {
> + rc = -EIO;
> goto out;
>
> This introduced another bug: since the comparison with sizeof() is
> cast to unsigned, a negative len value doesn't hit any longer.
> As a result, when an error is returned from erst_read(), the code
> falls through, and it may eventually lead to some weird thing like
> memory corruption.
>
> This patch adds the negative error value check more explicitly for
> addressing the issue.
>
> Fixes: f6f828513290 ("pstore: pass allocated memory region back to caller")
> Cc: <stable@xxxxxxxxxxxxxxx>
> Tested-by: Jerry Tang <jtang@xxxxxxxx>
> Signed-off-by: Takashi Iwai <tiwai@xxxxxxx>
> ---
> drivers/acpi/apei/erst.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/acpi/apei/erst.c b/drivers/acpi/apei/erst.c
> index 6742f6c68034..9bff853e85f3 100644
> --- a/drivers/acpi/apei/erst.c
> +++ b/drivers/acpi/apei/erst.c
> @@ -1007,7 +1007,7 @@ static ssize_t erst_reader(struct pstore_record *record)
> /* The record may be cleared by others, try read next record */
> if (len == -ENOENT)
> goto skip;
> - else if (len < sizeof(*rcd)) {
> + else if (len < 0 || len < sizeof(*rcd)) {
> rc = -EIO;
> goto out;
> }
>
Applied, thanks!
--
To unsubscribe from this list: send the line "unsubscribe linux-acpi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
