Header length should be validated for all ACPI tables before accessing any non-header field. The valid flags should also be check, as with it clear there's no point in trying to go through the rest of the code (and there's no guarantee that the other table contents are valid/consistent in that case). Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> --- arch/x86/platform/efi/efi-bgrt.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- 3.7-rc4/arch/x86/platform/efi/efi-bgrt.c +++ 3.7-rc4-x86-EFI-BGRT-checks/arch/x86/platform/efi/efi-bgrt.c @@ -39,7 +39,9 @@ void efi_bgrt_init(void) if (ACPI_FAILURE(status)) return; - if (bgrt_tab->version != 1) + if (bgrt_tab->header.length < sizeof(*bgrt_tab)) + return; + if (bgrt_tab->version != 1 || !(bgrt_tab->status & 1)) return; if (bgrt_tab->image_type != 0 || !bgrt_tab->image_address) return; -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
