[PATCH] ACPI: fix vendor resource length computation

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

acpi_rs_get_list_length() needs to account for all the vendor-defined data
bytes. Failing to include these causes buffers to be sized too small,
which causes slab corruption when we later convert AML to resources and run
off the end of the buffer.

This causes slab corruption on machines that use ACPI vendor-defined
resources. All HP ia64 machines do, and I'm told that some NEC machines
may as well.

Signed-off-by: Bjorn Helgaas <bjorn.helgaas@hp.com>
Cc: "Brown, Len" <len.brown@intel.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

authored by

Bjorn Helgaas and committed by

Linus Torvalds 20 years ago 35b73ceb 636f13c1

+2 -4

1 changed file

expand all

drivers

acpi

resources

rscalc.c

+2 -4

drivers/acpi/resources/rscalc.c

··· 391 391 * Ensure a 32-bit boundary for the structure 392 392 */ 393 393 extra_struct_bytes = 394 - ACPI_ROUND_UP_to_32_bITS(resource_length) - 395 - resource_length; 394 + ACPI_ROUND_UP_to_32_bITS(resource_length); 396 395 break; 397 396 398 397 case ACPI_RESOURCE_NAME_END_TAG: ··· 407 408 * Add vendor data and ensure a 32-bit boundary for the structure 408 409 */ 409 410 extra_struct_bytes = 410 - ACPI_ROUND_UP_to_32_bITS(resource_length) - 411 - resource_length; 411 + ACPI_ROUND_UP_to_32_bITS(resource_length); 412 412 break; 413 413 414 414 case ACPI_RESOURCE_NAME_ADDRESS32: