ACPICA: Avoid subobject buffer overflow when validating RSDP signature

ACPICA commit 6bb72909c1e3d415aee214104a01bc9834b2d4ce Since the Signature member is accessed through an struct acpi_table_header, the pointer to it is only to a 4-char array, and so trying to read past the 4th character, as will be done when it is an RSDP, reads beyond the bounds of the accessed member. On CHERI, and thus Arm's experimental Morello prototype architecture, pointers are represented as capabilities, which are unforgeable bounded pointers, providing always-on fine-grained spatial memory safety. By default, subobject bounds enforcement is not enabled, only bounds on allocations, but it is enabled in the cheri_BSD (a port of free_BSD) kernel as intra-object overflow attacks are common on operating system kernels, and so this overflow is detected there and traps. Link: https://github.com/acpica/acpica/commit/6bb72909 Signed-off-by: Bob Moore <robert.moore@intel.com> Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
mariux64 · Dec 27, 2021 · a3e525f · a3e525f
1 parent 339651b
commit a3e525f
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/drivers/acpi/acpica/tbprint.c b/drivers/acpi/acpica/tbprint.c
@@ -101,7 +101,8 @@ acpi_tb_print_table_header(acpi_physical_address address,
 		ACPI_INFO(("%-4.4s 0x%8.8X%8.8X %06X",
 			   header->signature, ACPI_FORMAT_UINT64(address),
 			   header->length));
-	} else if (ACPI_VALIDATE_RSDP_SIG(header->signature)) {
+	} else if (ACPI_VALIDATE_RSDP_SIG(ACPI_CAST_PTR(struct acpi_table_rsdp,
+							header)->signature)) {
 
 		/* RSDP has no common fields */