[PATCH v2] ACPI: GTDT: Tighten the check for the array of platform timer structures

Zheng Zengkai posted 1 patch 1 month, 2 weeks ago
There is a newer version of this series
drivers/acpi/arm64/gtdt.c | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
[PATCH v2] ACPI: GTDT: Tighten the check for the array of platform timer structures
Posted by Zheng Zengkai 1 month, 2 weeks ago
As suggested by Marc and Lorenzo, first we need to check whether the
platform_timer entry pointer is within gtdt bounds (< gtdt_end) before
de-referencing what it points at to detect the length of the platform
timer struct and then check that the length of current platform_timer
struct is within gtdt_end too. Now next_platform_timer() only checks
against gtdt_end for the entry of subsequent platform timer without
checking the length of it and will not report error if the check failed.

Add check against table length (gtdt_end) for each element of platform
timer array in acpi_gtdt_init() early, making sure that both their entry
and length actually fit in the table.

For the first platform timer, keep the check against the end of the
acpi_table_gtdt struct, it is unnecessary for subsequent platform timer.

Suggested-by: Marc Zyngier <maz@kernel.org>
Suggested-by: Lorenzo Pieralisi <lpieralisi@kernel.org>
Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com>
---
Changes in v2:
- Check against gtdt_end for both entry and len of each array element

v1: https://lore.kernel.org/all/20241010144703.113728-1-zhengzengkai@huawei.com/
---
 drivers/acpi/arm64/gtdt.c | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/drivers/acpi/arm64/gtdt.c b/drivers/acpi/arm64/gtdt.c
index c0e77c1c8e09..f5f62643899d 100644
--- a/drivers/acpi/arm64/gtdt.c
+++ b/drivers/acpi/arm64/gtdt.c
@@ -157,6 +157,8 @@ int __init acpi_gtdt_init(struct acpi_table_header *table,
 {
 	void *platform_timer;
 	struct acpi_table_gtdt *gtdt;
+	struct acpi_gtdt_header *gh;
+	void *struct_end;
 
 	gtdt = container_of(table, struct acpi_table_gtdt, header);
 	acpi_gtdt_desc.gtdt = gtdt;
@@ -177,11 +179,20 @@ int __init acpi_gtdt_init(struct acpi_table_header *table,
 	}
 
 	platform_timer = (void *)gtdt + gtdt->platform_timer_offset;
-	if (platform_timer < (void *)table + sizeof(struct acpi_table_gtdt)) {
-		pr_err(FW_BUG "invalid timer data.\n");
-		return -EINVAL;
+	struct_end = (void *)table + sizeof(struct acpi_table_gtdt);
+	for (int i = 0; i < gtdt->platform_timer_count; i++) {
+		gh = platform_timer;
+		if (((i == 0 && platform_timer >= struct_end) || i != 0) &&
+			platform_timer < acpi_gtdt_desc.gtdt_end &&
+			platform_timer + gh->length <= acpi_gtdt_desc.gtdt_end) {
+			platform_timer += gh->length;
+		} else {
+			pr_err(FW_BUG "invalid timer data.\n");
+			return -EINVAL;
+		}
 	}
-	acpi_gtdt_desc.platform_timer = platform_timer;
+
+	acpi_gtdt_desc.platform_timer = (void *)gtdt + gtdt->platform_timer_offset;
 	if (platform_timer_count)
 		*platform_timer_count = gtdt->platform_timer_count;
 
-- 
2.20.1
Re: [PATCH v2] ACPI: GTDT: Tighten the check for the array of platform timer structures
Posted by Marc Zyngier 1 month, 2 weeks ago
On Sat, 12 Oct 2024 09:53:43 +0100,
Zheng Zengkai <zhengzengkai@huawei.com> wrote:
> 
> As suggested by Marc and Lorenzo, first we need to check whether the
> platform_timer entry pointer is within gtdt bounds (< gtdt_end) before
> de-referencing what it points at to detect the length of the platform
> timer struct and then check that the length of current platform_timer
> struct is within gtdt_end too. Now next_platform_timer() only checks
> against gtdt_end for the entry of subsequent platform timer without
> checking the length of it and will not report error if the check failed.
> 
> Add check against table length (gtdt_end) for each element of platform
> timer array in acpi_gtdt_init() early, making sure that both their entry
> and length actually fit in the table.
> 
> For the first platform timer, keep the check against the end of the
> acpi_table_gtdt struct, it is unnecessary for subsequent platform timer.

Really?

>
> Suggested-by: Marc Zyngier <maz@kernel.org>
> Suggested-by: Lorenzo Pieralisi <lpieralisi@kernel.org>
> Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com>
> ---
> Changes in v2:
> - Check against gtdt_end for both entry and len of each array element
> 
> v1: https://lore.kernel.org/all/20241010144703.113728-1-zhengzengkai@huawei.com/
> ---
>  drivers/acpi/arm64/gtdt.c | 19 +++++++++++++++----
>  1 file changed, 15 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/acpi/arm64/gtdt.c b/drivers/acpi/arm64/gtdt.c
> index c0e77c1c8e09..f5f62643899d 100644
> --- a/drivers/acpi/arm64/gtdt.c
> +++ b/drivers/acpi/arm64/gtdt.c
> @@ -157,6 +157,8 @@ int __init acpi_gtdt_init(struct acpi_table_header *table,
>  {
>  	void *platform_timer;
>  	struct acpi_table_gtdt *gtdt;
> +	struct acpi_gtdt_header *gh;
> +	void *struct_end;
>  
>  	gtdt = container_of(table, struct acpi_table_gtdt, header);
>  	acpi_gtdt_desc.gtdt = gtdt;
> @@ -177,11 +179,20 @@ int __init acpi_gtdt_init(struct acpi_table_header *table,
>  	}
>  
>  	platform_timer = (void *)gtdt + gtdt->platform_timer_offset;
> -	if (platform_timer < (void *)table + sizeof(struct acpi_table_gtdt)) {
> -		pr_err(FW_BUG "invalid timer data.\n");
> -		return -EINVAL;
> +	struct_end = (void *)table + sizeof(struct acpi_table_gtdt);
> +	for (int i = 0; i < gtdt->platform_timer_count; i++) {
> +		gh = platform_timer;
> +		if (((i == 0 && platform_timer >= struct_end) || i != 0) &&

Why is only index 0 checked against the end of the table? Shouldn't
int be an invariant that all timer descriptions must not intersect
with the non-variable part of the GTDT table?

> +			platform_timer < acpi_gtdt_desc.gtdt_end &&
> +			platform_timer + gh->length <= acpi_gtdt_desc.gtdt_end) {

Surely, assuming that length isn't zero, if the last term is true, the
previous one also is? And what if it is 0?

Again, you cannot trust *anything* you find in the ACPI table.

> +			platform_timer += gh->length;

You are also reinventing the wheel, and repeating some of the worse
constructs in this code. It would be much better to build on (and
augment) the existing primitives to make the code *readable* instead
of being this pointer soup. Believe it or not, there is some value in
abstracting things.

I came up with the patchlet below, very lightly tested on my
Synquacer. It may not be optimal, but given that this is used exactly
once per boot, I'm sure we can afford a few extra comparisons. It
makes the iterator robust, and then uses that to implement the checks.

	M.

diff --git a/drivers/acpi/arm64/gtdt.c b/drivers/acpi/arm64/gtdt.c
index c0e77c1c8e09d..dca814183cc5c 100644
--- a/drivers/acpi/arm64/gtdt.c
+++ b/drivers/acpi/arm64/gtdt.c
@@ -36,15 +36,24 @@ struct acpi_gtdt_descriptor {
 
 static struct acpi_gtdt_descriptor acpi_gtdt_desc __initdata;
 
-static inline __init void *next_platform_timer(void *platform_timer)
+static __init bool platform_timer_valid(void *platform_timer)
 {
 	struct acpi_gtdt_header *gh = platform_timer;
 
-	platform_timer += gh->length;
-	if (platform_timer < acpi_gtdt_desc.gtdt_end)
-		return platform_timer;
+	return (gh->length != 0 &&
+		platform_timer >= (void *)(acpi_gtdt_desc.gtdt + 1) &&
+		platform_timer + gh->length <= acpi_gtdt_desc.gtdt_end);
+}
+
+static __init void *next_platform_timer(void *platform_timer)
+{
+	struct acpi_gtdt_header *gh = platform_timer;
 
-	return NULL;
+	if (!platform_timer_valid(platform_timer) ||
+	    !platform_timer_valid(platform_timer + gh->length))
+		return NULL;
+
+	return platform_timer + gh->length;
 }
 
 #define for_each_platform_timer(_g)				\
@@ -155,8 +164,9 @@ bool __init acpi_gtdt_c3stop(int type)
 int __init acpi_gtdt_init(struct acpi_table_header *table,
 			  int *platform_timer_count)
 {
-	void *platform_timer;
+	void *platform_timer, *tmp;
 	struct acpi_table_gtdt *gtdt;
+	int cnt = 0;
 
 	gtdt = container_of(table, struct acpi_table_gtdt, header);
 	acpi_gtdt_desc.gtdt = gtdt;
@@ -177,7 +187,12 @@ int __init acpi_gtdt_init(struct acpi_table_header *table,
 	}
 
 	platform_timer = (void *)gtdt + gtdt->platform_timer_offset;
-	if (platform_timer < (void *)table + sizeof(struct acpi_table_gtdt)) {
+	for (tmp = platform_timer;
+	     tmp && platform_timer_valid(tmp);
+	     tmp = next_platform_timer(tmp))
+		cnt++;
+
+	if (cnt != gtdt->platform_timer_count) {
 		pr_err(FW_BUG "invalid timer data.\n");
 		return -EINVAL;
 	}

-- 
Without deviation from the norm, progress is not possible.
Re: [PATCH v2] ACPI: GTDT: Tighten the check for the array of platform timer structures
Posted by Zheng Zengkai 1 month, 1 week ago
Hi Marc,

在 2024/10/13 1:34, Marc Zyngier 写道:
> On Sat, 12 Oct 2024 09:53:43 +0100,
> Zheng Zengkai <zhengzengkai@huawei.com> wrote:
>> As suggested by Marc and Lorenzo, first we need to check whether the
>> platform_timer entry pointer is within gtdt bounds (< gtdt_end) before
>> de-referencing what it points at to detect the length of the platform
>> timer struct and then check that the length of current platform_timer
>> struct is within gtdt_end too. Now next_platform_timer() only checks
>> against gtdt_end for the entry of subsequent platform timer without
>> checking the length of it and will not report error if the check failed.
>>
>> Add check against table length (gtdt_end) for each element of platform
>> timer array in acpi_gtdt_init() early, making sure that both their entry
>> and length actually fit in the table.
>>
>> For the first platform timer, keep the check against the end of the
>> acpi_table_gtdt struct, it is unnecessary for subsequent platform timer.
> Really?
>
>> Suggested-by: Marc Zyngier <maz@kernel.org>
>> Suggested-by: Lorenzo Pieralisi <lpieralisi@kernel.org>
>> Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com>
>> ---
>> Changes in v2:
>> - Check against gtdt_end for both entry and len of each array element
>>
>> v1: https://lore.kernel.org/all/20241010144703.113728-1-zhengzengkai@huawei.com/
>> ---
>>   drivers/acpi/arm64/gtdt.c | 19 +++++++++++++++----
>>   1 file changed, 15 insertions(+), 4 deletions(-)
>>
>> diff --git a/drivers/acpi/arm64/gtdt.c b/drivers/acpi/arm64/gtdt.c
>> index c0e77c1c8e09..f5f62643899d 100644
>> --- a/drivers/acpi/arm64/gtdt.c
>> +++ b/drivers/acpi/arm64/gtdt.c
>> @@ -157,6 +157,8 @@ int __init acpi_gtdt_init(struct acpi_table_header *table,
>>   {
>>   	void *platform_timer;
>>   	struct acpi_table_gtdt *gtdt;
>> +	struct acpi_gtdt_header *gh;
>> +	void *struct_end;
>>   
>>   	gtdt = container_of(table, struct acpi_table_gtdt, header);
>>   	acpi_gtdt_desc.gtdt = gtdt;
>> @@ -177,11 +179,20 @@ int __init acpi_gtdt_init(struct acpi_table_header *table,
>>   	}
>>   
>>   	platform_timer = (void *)gtdt + gtdt->platform_timer_offset;
>> -	if (platform_timer < (void *)table + sizeof(struct acpi_table_gtdt)) {
>> -		pr_err(FW_BUG "invalid timer data.\n");
>> -		return -EINVAL;
>> +	struct_end = (void *)table + sizeof(struct acpi_table_gtdt);
>> +	for (int i = 0; i < gtdt->platform_timer_count; i++) {
>> +		gh = platform_timer;
>> +		if (((i == 0 && platform_timer >= struct_end) || i != 0) &&
> Why is only index 0 checked against the end of the table? Shouldn't
> int be an invariant that all timer descriptions must not intersect
> with the non-variable part of the GTDT table?


AFAICS, after checking against the end of the acpi_table_gtdt struct for the

first platform timer, the subsequent platform_timer pointer value

computed via "platform_timer + gh->length" will also pass the check,

as the gh->length is of u16 type.


>> +			platform_timer < acpi_gtdt_desc.gtdt_end &&
>> +			platform_timer + gh->length <= acpi_gtdt_desc.gtdt_end) {
> Surely, assuming that length isn't zero, if the last term is true, the
> previous one also is? And what if it is 0?


Agree , the length should also be checked against 0,

but I think we should first check the platform_timer entry pointer,

then check the size of the same platform_timer structure,

not check them in the opposite order.


> Again, you cannot trust *anything* you find in the ACPI table.
>
>> +			platform_timer += gh->length;
> You are also reinventing the wheel, and repeating some of the worse
> constructs in this code. It would be much better to build on (and
> augment) the existing primitives to make the code *readable* instead
> of being this pointer soup. Believe it or not, there is some value in
> abstracting things.


Yes. Abstract things common and reuse it is better.


> I came up with the patchlet below, very lightly tested on my
> Synquacer. It may not be optimal, but given that this is used exactly
> once per boot, I'm sure we can afford a few extra comparisons. It
> makes the iterator robust, and then uses that to implement the checks.
>
> 	M.
>
> diff --git a/drivers/acpi/arm64/gtdt.c b/drivers/acpi/arm64/gtdt.c
> index c0e77c1c8e09d..dca814183cc5c 100644
> --- a/drivers/acpi/arm64/gtdt.c
> +++ b/drivers/acpi/arm64/gtdt.c
> @@ -36,15 +36,24 @@ struct acpi_gtdt_descriptor {
>   
>   static struct acpi_gtdt_descriptor acpi_gtdt_desc __initdata;
>   
> -static inline __init void *next_platform_timer(void *platform_timer)
> +static __init bool platform_timer_valid(void *platform_timer)
>   {
>   	struct acpi_gtdt_header *gh = platform_timer;
>   
> -	platform_timer += gh->length;
> -	if (platform_timer < acpi_gtdt_desc.gtdt_end)
> -		return platform_timer;
> +	return (gh->length != 0 &&


Shall we first check against gtdt_end for the platform_timer entry?

making sure that platform timer entry(the gh) is within gtdt_end

and valid


Thanks!


> +		platform_timer >= (void *)(acpi_gtdt_desc.gtdt + 1) &&
> +		platform_timer + gh->length <= acpi_gtdt_desc.gtdt_end);
> +}
> +
> +static __init void *next_platform_timer(void *platform_timer)
> +{
> +	struct acpi_gtdt_header *gh = platform_timer;
>   
> -	return NULL;
> +	if (!platform_timer_valid(platform_timer) ||
> +	    !platform_timer_valid(platform_timer + gh->length))
> +		return NULL;
> +
> +	return platform_timer + gh->length;
>   }
>   
>   #define for_each_platform_timer(_g)				\
> @@ -155,8 +164,9 @@ bool __init acpi_gtdt_c3stop(int type)
>   int __init acpi_gtdt_init(struct acpi_table_header *table,
>   			  int *platform_timer_count)
>   {
> -	void *platform_timer;
> +	void *platform_timer, *tmp;
>   	struct acpi_table_gtdt *gtdt;
> +	int cnt = 0;
>   
>   	gtdt = container_of(table, struct acpi_table_gtdt, header);
>   	acpi_gtdt_desc.gtdt = gtdt;
> @@ -177,7 +187,12 @@ int __init acpi_gtdt_init(struct acpi_table_header *table,
>   	}
>   
>   	platform_timer = (void *)gtdt + gtdt->platform_timer_offset;
> -	if (platform_timer < (void *)table + sizeof(struct acpi_table_gtdt)) {
> +	for (tmp = platform_timer;
> +	     tmp && platform_timer_valid(tmp);
> +	     tmp = next_platform_timer(tmp))
> +		cnt++;
> +
> +	if (cnt != gtdt->platform_timer_count) {
>   		pr_err(FW_BUG "invalid timer data.\n");
>   		return -EINVAL;
>   	}
>
Re: [PATCH v2] ACPI: GTDT: Tighten the check for the array of platform timer structures
Posted by Marc Zyngier 1 month, 1 week ago
On Mon, 14 Oct 2024 13:22:26 +0100,
Zheng Zengkai <zhengzengkai@huawei.com> wrote:
> 
> Hi Marc,
> 
> 在 2024/10/13 1:34, Marc Zyngier 写道:
> > On Sat, 12 Oct 2024 09:53:43 +0100,
> > Zheng Zengkai <zhengzengkai@huawei.com> wrote:
> >> As suggested by Marc and Lorenzo, first we need to check whether the
> >> platform_timer entry pointer is within gtdt bounds (< gtdt_end) before
> >> de-referencing what it points at to detect the length of the platform
> >> timer struct and then check that the length of current platform_timer
> >> struct is within gtdt_end too. Now next_platform_timer() only checks
> >> against gtdt_end for the entry of subsequent platform timer without
> >> checking the length of it and will not report error if the check failed.
> >> 
> >> Add check against table length (gtdt_end) for each element of platform
> >> timer array in acpi_gtdt_init() early, making sure that both their entry
> >> and length actually fit in the table.
> >> 
> >> For the first platform timer, keep the check against the end of the
> >> acpi_table_gtdt struct, it is unnecessary for subsequent platform timer.
> > Really?
> > 
> >> Suggested-by: Marc Zyngier <maz@kernel.org>
> >> Suggested-by: Lorenzo Pieralisi <lpieralisi@kernel.org>
> >> Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com>
> >> ---
> >> Changes in v2:
> >> - Check against gtdt_end for both entry and len of each array element
> >> 
> >> v1: https://lore.kernel.org/all/20241010144703.113728-1-zhengzengkai@huawei.com/
> >> ---
> >>   drivers/acpi/arm64/gtdt.c | 19 +++++++++++++++----
> >>   1 file changed, 15 insertions(+), 4 deletions(-)
> >> 
> >> diff --git a/drivers/acpi/arm64/gtdt.c b/drivers/acpi/arm64/gtdt.c
> >> index c0e77c1c8e09..f5f62643899d 100644
> >> --- a/drivers/acpi/arm64/gtdt.c
> >> +++ b/drivers/acpi/arm64/gtdt.c
> >> @@ -157,6 +157,8 @@ int __init acpi_gtdt_init(struct acpi_table_header *table,
> >>   {
> >>   	void *platform_timer;
> >>   	struct acpi_table_gtdt *gtdt;
> >> +	struct acpi_gtdt_header *gh;
> >> +	void *struct_end;
> >>     	gtdt = container_of(table, struct acpi_table_gtdt, header);
> >>   	acpi_gtdt_desc.gtdt = gtdt;
> >> @@ -177,11 +179,20 @@ int __init acpi_gtdt_init(struct acpi_table_header *table,
> >>   	}
> >>     	platform_timer = (void *)gtdt + gtdt->platform_timer_offset;
> >> -	if (platform_timer < (void *)table + sizeof(struct acpi_table_gtdt)) {
> >> -		pr_err(FW_BUG "invalid timer data.\n");
> >> -		return -EINVAL;
> >> +	struct_end = (void *)table + sizeof(struct acpi_table_gtdt);
> >> +	for (int i = 0; i < gtdt->platform_timer_count; i++) {
> >> +		gh = platform_timer;
> >> +		if (((i == 0 && platform_timer >= struct_end) || i != 0) &&
> > Why is only index 0 checked against the end of the table? Shouldn't
> > int be an invariant that all timer descriptions must not intersect
> > with the non-variable part of the GTDT table?
> 
> 
> AFAICS, after checking against the end of the acpi_table_gtdt struct for the
> first platform timer, the subsequent platform_timer pointer value
> computed via "platform_timer + gh->length" will also pass the check,
> as the gh->length is of u16 type.

But this is something that isn't obvious to the casual reader of this
code, and you want to keep validation code simple and localised, with
as few separate cases as you can. This isn't performance critical
code, and there is nothing to be gained by "optimising" this.

> 
> 
> >> +			platform_timer < acpi_gtdt_desc.gtdt_end &&
> >> +			platform_timer + gh->length <= acpi_gtdt_desc.gtdt_end) {
> > Surely, assuming that length isn't zero, if the last term is true, the
> > previous one also is? And what if it is 0?
> 
> 
> Agree , the length should also be checked against 0,
> but I think we should first check the platform_timer entry pointer,
> then check the size of the same platform_timer structure,
> not check them in the opposite order.

Correct, that's something that needs fixing. Run with it.

	M.

-- 
Without deviation from the norm, progress is not possible.
Re: [PATCH v2] ACPI: GTDT: Tighten the check for the array of platform timer structures
Posted by Zheng Zengkai 1 month, 1 week ago
Hi Marc,

在 2024/10/14 22:26, Marc Zyngier 写道:
> On Mon, 14 Oct 2024 13:22:26 +0100,
> Zheng Zengkai <zhengzengkai@huawei.com> wrote:
>> Hi Marc,
>>
>> 在 2024/10/13 1:34, Marc Zyngier 写道:
>>> On Sat, 12 Oct 2024 09:53:43 +0100,
>>> Zheng Zengkai <zhengzengkai@huawei.com> wrote:
>>>> As suggested by Marc and Lorenzo, first we need to check whether the
>>>> platform_timer entry pointer is within gtdt bounds (< gtdt_end) before
>>>> de-referencing what it points at to detect the length of the platform
>>>> timer struct and then check that the length of current platform_timer
>>>> struct is within gtdt_end too. Now next_platform_timer() only checks
>>>> against gtdt_end for the entry of subsequent platform timer without
>>>> checking the length of it and will not report error if the check failed.
>>>>
>>>> Add check against table length (gtdt_end) for each element of platform
>>>> timer array in acpi_gtdt_init() early, making sure that both their entry
>>>> and length actually fit in the table.
>>>>
>>>> For the first platform timer, keep the check against the end of the
>>>> acpi_table_gtdt struct, it is unnecessary for subsequent platform timer.
>>> Really?
>>>
>>>> Suggested-by: Marc Zyngier <maz@kernel.org>
>>>> Suggested-by: Lorenzo Pieralisi <lpieralisi@kernel.org>
>>>> Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com>
>>>> ---
>>>> Changes in v2:
>>>> - Check against gtdt_end for both entry and len of each array element
>>>>
>>>> v1: https://lore.kernel.org/all/20241010144703.113728-1-zhengzengkai@huawei.com/
>>>> ---
>>>>    drivers/acpi/arm64/gtdt.c | 19 +++++++++++++++----
>>>>    1 file changed, 15 insertions(+), 4 deletions(-)
>>>>
>>>> diff --git a/drivers/acpi/arm64/gtdt.c b/drivers/acpi/arm64/gtdt.c
>>>> index c0e77c1c8e09..f5f62643899d 100644
>>>> --- a/drivers/acpi/arm64/gtdt.c
>>>> +++ b/drivers/acpi/arm64/gtdt.c
>>>> @@ -157,6 +157,8 @@ int __init acpi_gtdt_init(struct acpi_table_header *table,
>>>>    {
>>>>    	void *platform_timer;
>>>>    	struct acpi_table_gtdt *gtdt;
>>>> +	struct acpi_gtdt_header *gh;
>>>> +	void *struct_end;
>>>>      	gtdt = container_of(table, struct acpi_table_gtdt, header);
>>>>    	acpi_gtdt_desc.gtdt = gtdt;
>>>> @@ -177,11 +179,20 @@ int __init acpi_gtdt_init(struct acpi_table_header *table,
>>>>    	}
>>>>      	platform_timer = (void *)gtdt + gtdt->platform_timer_offset;
>>>> -	if (platform_timer < (void *)table + sizeof(struct acpi_table_gtdt)) {
>>>> -		pr_err(FW_BUG "invalid timer data.\n");
>>>> -		return -EINVAL;
>>>> +	struct_end = (void *)table + sizeof(struct acpi_table_gtdt);
>>>> +	for (int i = 0; i < gtdt->platform_timer_count; i++) {
>>>> +		gh = platform_timer;
>>>> +		if (((i == 0 && platform_timer >= struct_end) || i != 0) &&
>>> Why is only index 0 checked against the end of the table? Shouldn't
>>> int be an invariant that all timer descriptions must not intersect
>>> with the non-variable part of the GTDT table?
>>
>> AFAICS, after checking against the end of the acpi_table_gtdt struct for the
>> first platform timer, the subsequent platform_timer pointer value
>> computed via "platform_timer + gh->length" will also pass the check,
>> as the gh->length is of u16 type.
> But this is something that isn't obvious to the casual reader of this
> code, and you want to keep validation code simple and localised, with
> as few separate cases as you can. This isn't performance critical
> code, and there is nothing to be gained by "optimising" this.


OK


>>
>>>> +			platform_timer < acpi_gtdt_desc.gtdt_end &&
>>>> +			platform_timer + gh->length <= acpi_gtdt_desc.gtdt_end) {
>>> Surely, assuming that length isn't zero, if the last term is true, the
>>> previous one also is? And what if it is 0?
>>
>> Agree , the length should also be checked against 0,
>> but I think we should first check the platform_timer entry pointer,
>> then check the size of the same platform_timer structure,
>> not check them in the opposite order.
> Correct, that's something that needs fixing. Run with it.
>
> 	M.


OK,  I will do that.

Thanks!