acpi, nfit, libnvdimm: fix / harden ars_status output length handling
authorDan Williams <dan.j.williams@intel.com>
Tue, 6 Dec 2016 17:10:12 +0000 (09:10 -0800)
committerDan Williams <dan.j.williams@intel.com>
Wed, 7 Dec 2016 00:08:10 +0000 (16:08 -0800)
Given ambiguities in the ACPI 6.1 definition of the "Output (Size)"
field of the ARS (Address Range Scrub) Status command, a firmware
implementation may in practice return 0, 4, or 8 to indicate that there
is no output payload to process.

The specification states "Size of Output Buffer in bytes, including this
field.". However, 'Output Buffer' is also the name of the entire
payload, and earlier in the specification it states "Max Query ARS
Status Output Buffer Size: Maximum size of buffer (including the Status
and Extended Status fields)".

Without this fix if the BIOS happens to return 0 it causes memory
corruption as evidenced by this result from the acpi_nfit_ctl() unit
test.

 ars_status00000000: 00020000 00000000                    ........
 BUG: stack guard page was hit at ffffc90001750000 (stack is ffffc9000174c000..ffffc9000174ffff)
 kernel stack overflow (page fault): 0000 [#1] SMP DEBUG_PAGEALLOC
 task: ffff8803332d2ec0 task.stack: ffffc9000174c000
 RIP: 0010:[<ffffffff814cfe72>]  [<ffffffff814cfe72>] __memcpy+0x12/0x20
 RSP: 0018:ffffc9000174f9a8  EFLAGS: 00010246
 RAX: ffffc9000174fab8 RBX: 0000000000000000 RCX: 000000001fffff56
 RDX: 0000000000000000 RSI: ffff8803231f5a08 RDI: ffffc90001750000
 RBP: ffffc9000174fa88 R08: ffffc9000174fab0 R09: ffff8803231f54b8
 R10: 0000000000000008 R11: 0000000000000001 R12: 0000000000000000
 R13: 0000000000000000 R14: 0000000000000003 R15: ffff8803231f54a0
 FS:  00007f3a611af640(0000) GS:ffff88033ed00000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: ffffc90001750000 CR3: 0000000325b20000 CR4: 00000000000406e0
 Stack:
  ffffffffa00bc60d 0000000000000008 ffffc90000000001 ffffc9000174faac
  0000000000000292 ffffffffa00c24e4 ffffffffa00c2914 0000000000000000
  0000000000000000 ffffffff00000003 ffff880331ae8ad0 0000000800000246
 Call Trace:
  [<ffffffffa00bc60d>] ? acpi_nfit_ctl+0x49d/0x750 [nfit]
  [<ffffffffa01f4fe0>] nfit_test_probe+0x670/0xb1b [nfit_test]

Cc: <stable@vger.kernel.org>
Fixes: 747ffe11b440 ("libnvdimm, tools/testing/nvdimm: fix 'ars_status' output buffer sizing")
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
drivers/acpi/nfit/core.c
drivers/nvdimm/bus.c
include/linux/libnvdimm.h

index 60acbb1d159c2e4b25adca486912bd04879b2a93..e58ec32393b786409e4c00772c5531783aa45aaa 100644 (file)
@@ -298,7 +298,8 @@ static int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc,
 
        for (i = 0, offset = 0; i < desc->out_num; i++) {
                u32 out_size = nd_cmd_out_size(nvdimm, cmd, desc, i, buf,
-                               (u32 *) out_obj->buffer.pointer);
+                               (u32 *) out_obj->buffer.pointer,
+                               out_obj->buffer.length - offset);
 
                if (offset + out_size > out_obj->buffer.length) {
                        dev_dbg(dev, "%s:%s output object underflow cmd: %s field: %d\n",
index a8b6949a8778835a89cef3469f031b77956d0c45..23d4a1728cdfa4993903b6b4504c6a70f5a7fff4 100644 (file)
@@ -715,7 +715,7 @@ EXPORT_SYMBOL_GPL(nd_cmd_in_size);
 
 u32 nd_cmd_out_size(struct nvdimm *nvdimm, int cmd,
                const struct nd_cmd_desc *desc, int idx, const u32 *in_field,
-               const u32 *out_field)
+               const u32 *out_field, unsigned long remainder)
 {
        if (idx >= desc->out_num)
                return UINT_MAX;
@@ -727,9 +727,24 @@ u32 nd_cmd_out_size(struct nvdimm *nvdimm, int cmd,
                return in_field[1];
        else if (nvdimm && cmd == ND_CMD_VENDOR && idx == 2)
                return out_field[1];
-       else if (!nvdimm && cmd == ND_CMD_ARS_STATUS && idx == 2)
-               return out_field[1] - 8;
-       else if (cmd == ND_CMD_CALL) {
+       else if (!nvdimm && cmd == ND_CMD_ARS_STATUS && idx == 2) {
+               /*
+                * Per table 9-276 ARS Data in ACPI 6.1, out_field[1] is
+                * "Size of Output Buffer in bytes, including this
+                * field."
+                */
+               if (out_field[1] < 4)
+                       return 0;
+               /*
+                * ACPI 6.1 is ambiguous if 'status' is included in the
+                * output size. If we encounter an output size that
+                * overshoots the remainder by 4 bytes, assume it was
+                * including 'status'.
+                */
+               if (out_field[1] - 8 == remainder)
+                       return remainder;
+               return out_field[1] - 4;
+       } else if (cmd == ND_CMD_CALL) {
                struct nd_cmd_pkg *pkg = (struct nd_cmd_pkg *) in_field;
 
                return pkg->nd_size_out;
@@ -876,7 +891,7 @@ static int __nd_ioctl(struct nvdimm_bus *nvdimm_bus, struct nvdimm *nvdimm,
        /* process an output envelope */
        for (i = 0; i < desc->out_num; i++) {
                u32 out_size = nd_cmd_out_size(nvdimm, cmd, desc, i,
-                               (u32 *) in_env, (u32 *) out_env);
+                               (u32 *) in_env, (u32 *) out_env, 0);
                u32 copy;
 
                if (out_size == UINT_MAX) {
index f4947fda11e771c35c6465d3b329a8611249ee8b..8458c5351e562e57ea1161fc5ab234d5e53a47bb 100644 (file)
@@ -143,7 +143,7 @@ u32 nd_cmd_in_size(struct nvdimm *nvdimm, int cmd,
                const struct nd_cmd_desc *desc, int idx, void *buf);
 u32 nd_cmd_out_size(struct nvdimm *nvdimm, int cmd,
                const struct nd_cmd_desc *desc, int idx, const u32 *in_field,
-               const u32 *out_field);
+               const u32 *out_field, unsigned long remainder);
 int nvdimm_bus_check_dimm_count(struct nvdimm_bus *nvdimm_bus, int dimm_count);
 struct nd_region *nvdimm_pmem_region_create(struct nvdimm_bus *nvdimm_bus,
                struct nd_region_desc *ndr_desc);