Skip to content

Commit

Permalink
ACPI: APEI / ERST: Fix missing error handling in erst_reader()
Browse files Browse the repository at this point in the history 
The commit f6f8285 ("pstore: pass allocated memory region back to
caller") changed the check of the return value from erst_read() in
erst_reader() in the following way:

        if (len == -ENOENT)
                goto skip;
-       else if (len < 0) {
-               rc = -1;
+       else if (len < sizeof(*rcd)) {
+               rc = -EIO;
                goto out;

This introduced another bug: since the comparison with sizeof() is
cast to unsigned, a negative len value doesn't hit any longer.
As a result, when an error is returned from erst_read(), the code
falls through, and it may eventually lead to some weird thing like
memory corruption.

This patch adds the negative error value check more explicitly for
addressing the issue.

Fixes: f6f8285 (pstore: pass allocated memory region back to caller)
Cc: All applicable <stable@vger.kernel.org>
Tested-by: Jerry Tang <jtang@suse.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Acked-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
  • Loading branch information
Takashi Iwai authored and Rafael J. Wysocki committed Dec 18, 2017
1 parent 1291a0d commit bb82e0b
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion drivers/acpi/apei/erst.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1007,7 +1007,7 @@ static ssize_t erst_reader(struct pstore_record *record)
/* The record may be cleared by others, try read next record */
if (len == -ENOENT)
goto skip;
else if (len < sizeof(*rcd)) {
else if (len < 0 || len < sizeof(*rcd)) {
rc = -EIO;
goto out;
}
Expand Down

0 comments on commit bb82e0b

Please sign in to comment.