From nobody Sat Feb 7 17:55:20 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3EA2414D29B; Tue, 6 Jan 2026 10:01:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767693710; cv=none; b=C4j/bJdfq2i/astb0yUnJELpo3HeHoXQZPiqh+n4ABD4uE9pDx5dxdiB2WgsU1IbX3XjiAJbaPlNIahd7kyWQ7ynftjr8pSwOT/YoUfyQldISqDrzilMIf7XGSm47k6VTW0wUGpLfQrLJV0viDYs7YtU6P5kc/7cghdSTkgqOcc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767693710; c=relaxed/simple; bh=1wXFtyZXq5x9ZLro1IVko165j2oBCEiBirVTi+4hPv4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=RmRL17lVKiZlANo+2YeoLVU0Uw7xUU1kXAOmsbXA7U8dwtQjQirUVJhXW5RZV/dk/+ecpzCgEtIktq0v1TYt5XrYfwT/XGx1HsDxpD6JVhQZBNH3DNNWZANZ2pOP5jdAFz5bbFK9cf+i1Ylcd+/QcXRcRdbDfHOcfpowLFEXFoY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=jifghc1E; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="jifghc1E" Received: by smtp.kernel.org (Postfix) with ESMTPSA id DFFEFC16AAE; Tue, 6 Jan 2026 10:01:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1767693709; bh=1wXFtyZXq5x9ZLro1IVko165j2oBCEiBirVTi+4hPv4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=jifghc1EBWrX4DiGQsHXzrGHbVdw6yVrkBFsTJBMGKh4U20Z1Y7mJGlbG+fRRi8jB hcUdJi2tWbjHUwYGyfhijDN8GYN1EnklsGzFBPDkL9lR0khYHJVeRyzhMpHLcWnvEU TNjeVUQRZq7xKNPLZHY3dguEaIMESYGEKWxYkM10OAP+cu2poqRDK2BoKu7p4vkpZD eCOnoY0CDTKnKd3wJyk8bI+1VDK2/Wsjp5JuZ1am58WlJv6SQ3MvFhY1e+PCaqiFNh kWEqWviF9DfYEcl6eFl2+e8awIfZRVStVcXowsklU/C7ajNW1FMtDxVMOgIz1t0XBA NacrL6wuzKO8Q== Received: from mchehab by mail.kernel.org with local (Exim 4.99) (envelope-from ) id 1vd3sp-000000008ZI-45D9; Tue, 06 Jan 2026 11:01:47 +0100 From: Mauro Carvalho Chehab To: "Rafael J. Wysocki" Cc: Mauro Carvalho Chehab , Ankit Agrawal , Borislav Petkov , Breno Leitao , Hanjun Guo , Jason Tian , Jonathan Cameron , Len Brown , Mauro Carvalho Chehab , Shuai Xue , Smita Koralahalli , Tony Luck , linux-acpi@vger.kernel.org, linux-edac@vger.kernel.org, linux-kernel@vger.kernel.org, pengdonglin Subject: [PATCH v4 1/4] apei/ghes: ARM processor Error: don't go past allocated memory Date: Tue, 6 Jan 2026 11:01:35 +0100 Message-ID: X-Mailer: git-send-email 2.52.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Sender: Mauro Carvalho Chehab If the BIOS generates a very small ARM Processor Error, or an incomplete one, the current logic will fail to deferrence err->section_length and ctx_info->size Add checks to avoid that. With such changes, such GHESv2 records won't cause OOPSes like this: [ 1.492129] Internal error: Oops: 0000000096000005 [#1] SMP [ 1.495449] Modules linked in: [ 1.495820] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not tainted 6.18.0-rc= 1-00017-gabadcc3553dd-dirty #18 PREEMPT [ 1.496125] Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 02/02= /2022 [ 1.496433] Workqueue: kacpi_notify acpi_os_execute_deferred [ 1.496967] pstate: 814000c5 (Nzcv daIF +PAN -UAO -TCO +DIT -SSBS BTYPE= =3D--) [ 1.497199] pc : log_arm_hw_error+0x5c/0x200 [ 1.497380] lr : ghes_handle_arm_hw_error+0x94/0x220 0xffff8000811c5324 is in log_arm_hw_error (../drivers/ras/ras.c:75). 70 err_info =3D (struct cper_arm_err_info *)(err + 1); 71 ctx_info =3D (struct cper_arm_ctx_info *)(err_info + err->err_info_num); 72 ctx_err =3D (u8 *)ctx_info; 73 74 for (n =3D 0; n < err->context_info_num; n++) { 75 sz =3D sizeof(struct cper_arm_ctx_info) + ctx_info->size; 76 ctx_info =3D (struct cper_arm_ctx_info *)((long)ctx_info + sz); 77 ctx_len +=3D sz; 78 } 79 and similar ones while trying to access section_length on an error dump with too small size. Signed-off-by: Mauro Carvalho Chehab Reviewed-by: Jonathan Cameron --- drivers/acpi/apei/ghes.c | 32 ++++++++++++++++++++++++++++---- drivers/ras/ras.c | 6 +++++- 2 files changed, 33 insertions(+), 5 deletions(-) diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c index 0dc767392a6c..fc3f8aed99d5 100644 --- a/drivers/acpi/apei/ghes.c +++ b/drivers/acpi/apei/ghes.c @@ -552,21 +552,45 @@ static bool ghes_handle_arm_hw_error(struct acpi_hest= _generic_data *gdata, { struct cper_sec_proc_arm *err =3D acpi_hest_get_payload(gdata); int flags =3D sync ? MF_ACTION_REQUIRED : 0; + int length =3D gdata->error_data_length; char error_type[120]; bool queued =3D false; int sec_sev, i; char *p; =20 sec_sev =3D ghes_severity(gdata->error_severity); - log_arm_hw_error(err, sec_sev); + if (length >=3D sizeof(*err)) { + log_arm_hw_error(err, sec_sev); + } else { + pr_warn(FW_BUG "arm error length: %d\n", length); + pr_warn(FW_BUG "length is too small\n"); + pr_warn(FW_BUG "firmware-generated error record is incorrect\n"); + return false; + } + if (sev !=3D GHES_SEV_RECOVERABLE || sec_sev !=3D GHES_SEV_RECOVERABLE) return false; =20 p =3D (char *)(err + 1); + length -=3D sizeof(err); + for (i =3D 0; i < err->err_info_num; i++) { - struct cper_arm_err_info *err_info =3D (struct cper_arm_err_info *)p; - bool is_cache =3D err_info->type & CPER_ARM_CACHE_ERROR; - bool has_pa =3D (err_info->validation_bits & CPER_ARM_INFO_VALID_PHYSICA= L_ADDR); + struct cper_arm_err_info *err_info; + bool is_cache, has_pa; + + /* Ensure we have enough data for the error info header */ + if (length < sizeof(*err_info)) + break; + + err_info =3D (struct cper_arm_err_info *)p; + + /* Validate the claimed length before using it */ + length -=3D err_info->length; + if (length < 0) + break; + + is_cache =3D err_info->type & CPER_ARM_CACHE_ERROR; + has_pa =3D (err_info->validation_bits & CPER_ARM_INFO_VALID_PHYSICAL_ADD= R); =20 /* * The field (err_info->error_info & BIT(26)) is fixed to set to diff --git a/drivers/ras/ras.c b/drivers/ras/ras.c index 2a5b5a9fdcb3..03df3db62334 100644 --- a/drivers/ras/ras.c +++ b/drivers/ras/ras.c @@ -72,7 +72,11 @@ void log_arm_hw_error(struct cper_sec_proc_arm *err, con= st u8 sev) ctx_err =3D (u8 *)ctx_info; =20 for (n =3D 0; n < err->context_info_num; n++) { - sz =3D sizeof(struct cper_arm_ctx_info) + ctx_info->size; + sz =3D sizeof(struct cper_arm_ctx_info); + + if (sz + (long)ctx_info - (long)err >=3D err->section_length) + sz +=3D ctx_info->size; + ctx_info =3D (struct cper_arm_ctx_info *)((long)ctx_info + sz); ctx_len +=3D sz; } --=20 2.52.0 From nobody Sat Feb 7 17:55:20 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3EAAE2DF152; Tue, 6 Jan 2026 10:01:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767693710; cv=none; b=lbtCpV9+7qnfWkmBy8dmU1vkDCuH1Tg1Ys+AL+jl/h4rC1DpFVVps+lZwKLTPOEHXy58oQh8MzaX4s7dyKCx4/WRWMo2PEbfM/L7DLPOCca7olwQWeohKkzZuyzl2rghcoKb3t9va5RzRx7+N67zb6k/GG+ND5/FcxQpP82E55k= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767693710; c=relaxed/simple; bh=3Avwk9ah4fvsu5pW2Hk/IxHeMU3rEwQMuWdy8ZlvDv0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=B6z9+aDeJ0AQtzkaINEdh5ScUnY00zO93+okPVqG6v9kuVJk+/wR37dSZ96ygojktEPSqbVVy4P3WWWjOQ6Jy7D7o7J0NXLG4s+GhXrnO1Mv61Ucev0VTYqyjTIL5eQHxHkYUR52Mw5RjH6g6D99m1DC1tVvOBIfPoY//yRoIaM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=U/910rDE; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="U/910rDE" Received: by smtp.kernel.org (Postfix) with ESMTPSA id DB9ABC116C6; Tue, 6 Jan 2026 10:01:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1767693709; bh=3Avwk9ah4fvsu5pW2Hk/IxHeMU3rEwQMuWdy8ZlvDv0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=U/910rDE7bMhtYdfWx/jDSmtv0FxbwK2ijV5f/xtPl31v60lvsiU/O/g50dPbpMm3 0oGhriGXbYeXa4dzFfWW5unorQ56BmnIqujsK8mkjic0FoWY5NMH9wIT2xT3vkOqs4 NGOeJjkd8r7PPzV3zrgnwtyOqkMcRlFOdVLdfPVmNvi4GOHPbg7QjOfngB1c5k28P6 o+yCESIkb0l5KLVrgQrsRd9gEWnzerfBKVQyv8SUtp5/0nl2F7QKr+zLtm21xF0r/F nztqgBTqu1ED7EA3he/VAlxMfpuQk6ZYq4+tezzwA9YcvD2jd04lTFoM5TCR1T9Tx2 40NEGd8mb9y/Q== Received: from mchehab by mail.kernel.org with local (Exim 4.99) (envelope-from ) id 1vd3sq-000000008ZM-004n; Tue, 06 Jan 2026 11:01:48 +0100 From: Mauro Carvalho Chehab To: Ard Biesheuvel Cc: Mauro Carvalho Chehab , Dan Williams , Dave Jiang , Gregory Price , Jonathan Cameron , Smita Koralahalli , linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v4 2/4] efi/cper: don't go past the ARM processor CPER record buffer Date: Tue, 6 Jan 2026 11:01:36 +0100 Message-ID: X-Mailer: git-send-email 2.52.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Sender: Mauro Carvalho Chehab There's a logic inside ghes/cper to detect if the section_length is too small, but it doesn't detect if it is too big. Currently, if the firmware receives an ARM processor CPER record stating that a section length is big, kernel will blindly trust section_length, producing a very long dump. For instance, a 67 bytes record with ERR_INFO_NUM set 46198 and section length set to 854918320 would dump a lot of data going a way past the firmware memory-mapped area. Fix it by adding a logic to prevent it to go past the buffer if ERR_INFO_NUM is too big, making it report instead: [Hardware Error]: Hardware error from APEI Generic Hardware Error Source: 1 [Hardware Error]: event severity: recoverable [Hardware Error]: Error 0, type: recoverable [Hardware Error]: section_type: ARM processor error [Hardware Error]: MIDR: 0xff304b2f8476870a [Hardware Error]: section length: 854918320, CPER size: 67 [Hardware Error]: section length is too big [Hardware Error]: firmware-generated error record is incorrect [Hardware Error]: ERR_INFO_NUM is 46198 Signed-off-by: Mauro Carvalho Chehab Reviewed-by: Jonathan Cameron --- drivers/firmware/efi/cper-arm.c | 12 ++++++++---- drivers/firmware/efi/cper.c | 3 ++- include/linux/cper.h | 3 ++- 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/drivers/firmware/efi/cper-arm.c b/drivers/firmware/efi/cper-ar= m.c index 76542a53e202..b21cb1232d82 100644 --- a/drivers/firmware/efi/cper-arm.c +++ b/drivers/firmware/efi/cper-arm.c @@ -226,7 +226,8 @@ static void cper_print_arm_err_info(const char *pfx, u3= 2 type, } =20 void cper_print_proc_arm(const char *pfx, - const struct cper_sec_proc_arm *proc) + const struct cper_sec_proc_arm *proc, + u32 length) { int i, len, max_ctx_type; struct cper_arm_err_info *err_info; @@ -238,9 +239,12 @@ void cper_print_proc_arm(const char *pfx, =20 len =3D proc->section_length - (sizeof(*proc) + proc->err_info_num * (sizeof(*err_info))); - if (len < 0) { - printk("%ssection length: %d\n", pfx, proc->section_length); - printk("%ssection length is too small\n", pfx); + + if (len < 0 || proc->section_length > length) { + printk("%ssection length: %d, CPER size: %d\n", + pfx, proc->section_length, length); + printk("%ssection length is too %s\n", pfx, + (len < 0) ? "small" : "big"); printk("%sfirmware-generated error record is incorrect\n", pfx); printk("%sERR_INFO_NUM is %d\n", pfx, proc->err_info_num); return; diff --git a/drivers/firmware/efi/cper.c b/drivers/firmware/efi/cper.c index 0232bd040f61..88fc0293f876 100644 --- a/drivers/firmware/efi/cper.c +++ b/drivers/firmware/efi/cper.c @@ -659,7 +659,8 @@ cper_estatus_print_section(const char *pfx, struct acpi= _hest_generic_data *gdata =20 printk("%ssection_type: ARM processor error\n", newpfx); if (gdata->error_data_length >=3D sizeof(*arm_err)) - cper_print_proc_arm(newpfx, arm_err); + cper_print_proc_arm(newpfx, arm_err, + gdata->error_data_length); else goto err_section_too_small; #endif diff --git a/include/linux/cper.h b/include/linux/cper.h index 5b1236d8c65b..440b35e459e5 100644 --- a/include/linux/cper.h +++ b/include/linux/cper.h @@ -595,7 +595,8 @@ void cper_mem_err_pack(const struct cper_sec_mem_err *, const char *cper_mem_err_unpack(struct trace_seq *, struct cper_mem_err_compact *); void cper_print_proc_arm(const char *pfx, - const struct cper_sec_proc_arm *proc); + const struct cper_sec_proc_arm *proc, + u32 length); void cper_print_proc_ia(const char *pfx, const struct cper_sec_proc_ia *proc); int cper_mem_err_location(struct cper_mem_err_compact *mem, char *msg); --=20 2.52.0 From nobody Sat Feb 7 17:55:20 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 50D4030DEA6; Tue, 6 Jan 2026 10:01:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767693710; cv=none; b=MvweDalUVCdWU7iLdFPBVeWP+Qj2z3XckoqKZYn8AfJd+P4+5+SZkit6t7Tvlm54yGoe4nGyP0rj8yIKPLP+Ok8YBPgQcYb1hMmVN8tmda4Sjh4p2Tr+mrnclIr/uvuGxmuEWgESWPMJZAkmERD/91Zc/+/J/2nWTAlY0NlaN/E= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767693710; c=relaxed/simple; bh=9VmWRogAQpxaWnZ1HlwLtjxIGkfqfYOU297RmfywkiI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=G44Q5qAekTjEmvSqY7nhBpmn4iJ77BYCUEc3ei607BtCje7SdeD/9XRHrG7cGnG8xOgoZE9hD8+KRaLPLTo/tWYQK8lpaIdF9/czU+bCC6u/us47Lpu+UzjYWdR28ZR3/XRjuxnrwiZt5JSKWhwtgxTCqnKDxamlQYpcwA5dP3s= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=rXRS8HL4; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="rXRS8HL4" Received: by smtp.kernel.org (Postfix) with ESMTPSA id E5387C19424; Tue, 6 Jan 2026 10:01:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1767693709; bh=9VmWRogAQpxaWnZ1HlwLtjxIGkfqfYOU297RmfywkiI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=rXRS8HL46e1Lw8onfIFdnPyuJH4Jdh3Y6JDXglgPXfe3Fz05Ha53uf+UEMzYwhf15 xiaRtfoJPhTip+9sF4KlHTW/jUxqmUXC5OWorshajTSAB/lZ7j9ysusH3NmvdftPcb LJ7Ib2TPCl3iYD9axHk0iZgQlfbUPzShtSgyFi7fWVjLTxoCIaaBuSCqeE2oDk9rnX K3AOJwQzXKweBvbNLTyLl2DpvB7icSTvQQzqCSWsF1rdzRIodu0/gXeCspShClmgsj wc6nDKm9Yfdz8X7Pe6TpHIXAdowojvTQ3C4vShTATL2E/irsu1x5DOaUwP8MONs16M DYGiTB378MRww== Received: from mchehab by mail.kernel.org with local (Exim 4.99) (envelope-from ) id 1vd3sq-000000008ZQ-07JF; Tue, 06 Jan 2026 11:01:48 +0100 From: Mauro Carvalho Chehab To: "Rafael J. Wysocki" , Robert Moore Cc: Mauro Carvalho Chehab , Ankit Agrawal , Borislav Petkov , Breno Leitao , Hanjun Guo , Jason Tian , Jonathan Cameron , Len Brown , Mauro Carvalho Chehab , Shuai Xue , Smita Koralahalli , Tony Luck , acpica-devel@lists.linux.dev, linux-acpi@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v4 3/4] apei/ghes: ensure that won't go past CPER allocated record Date: Tue, 6 Jan 2026 11:01:37 +0100 Message-ID: <8731f124c82a48850648695530a5442d60034de1.1767693532.git.mchehab+huawei@kernel.org> X-Mailer: git-send-email 2.52.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Sender: Mauro Carvalho Chehab The logic at ghes_new() prevents allocating too large records, by checking if they're bigger than GHES_ESTATUS_MAX_SIZE (currently, 64KB). Yet, the allocation is done with the actual number of pages from the CPER bios table location, which can be smaller. Yet, a bad firmware could send data with a different size, which might be bigger than the allocated memory, causing an OOPS: [13095.899926] Unable to handle kernel paging request at virtual address ff= f00000f9b40000 [13095.899961] Mem abort info: [13095.900017] ESR =3D 0x0000000096000007 [13095.900088] EC =3D 0x25: DABT (current EL), IL =3D 32 bits [13095.900156] SET =3D 0, FnV =3D 0 [13095.900181] EA =3D 0, S1PTW =3D 0 [13095.900211] FSC =3D 0x07: level 3 translation fault [13095.900255] Data abort info: [13095.900421] ISV =3D 0, ISS =3D 0x00000007, ISS2 =3D 0x00000000 [13095.900486] CM =3D 0, WnR =3D 0, TnD =3D 0, TagAccess =3D 0 [13095.900525] GCS =3D 0, Overlay =3D 0, DirtyBit =3D 0, Xs =3D 0 [13095.900713] swapper pgtable: 4k pages, 52-bit VAs, pgdp=3D000000008ba160= 00 [13095.900752] [fff00000f9b40000] pgd=3D180000013ffff403, p4d=3D180000013ff= fe403, pud=3D180000013f85b403, pmd=3D180000013f68d403, pte=3D00000000000000= 00 [13095.901312] Internal error: Oops: 0000000096000007 [#1] SMP [13095.901659] Modules linked in: [13095.902201] CPU: 0 UID: 0 PID: 303 Comm: kworker/0:1 Not tainted 6.19.0-= rc1-00002-gda407d200220 #34 PREEMPT [13095.902461] Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 02/02= /2022 [13095.902719] Workqueue: kacpi_notify acpi_os_execute_deferred [13095.903778] pstate: 214020c5 (nzCv daIF +PAN -UAO -TCO +DIT -SSBS BTYPE= =3D--) [13095.903892] pc : hex_dump_to_buffer+0x30c/0x4a0 [13095.904146] lr : hex_dump_to_buffer+0x328/0x4a0 [13095.904204] sp : ffff800080e13880 [13095.904291] x29: ffff800080e13880 x28: ffffac9aba86f6a8 x27: 00000000000= 00083 [13095.904704] x26: fff00000f9b3fffc x25: 0000000000000004 x24: 00000000000= 00004 [13095.905335] x23: ffff800080e13905 x22: 0000000000000010 x21: 00000000000= 00083 [13095.905483] x20: 0000000000000001 x19: 0000000000000008 x18: 00000000000= 00010 [13095.905617] x17: 0000000000000001 x16: 00000007c7f20fec x15: 00000000000= 00020 [13095.905850] x14: 0000000000000008 x13: 0000000000081020 x12: 00000000000= 00008 [13095.906175] x11: ffff800080e13905 x10: ffff800080e13988 x9 : 00000000000= 00000 [13095.906733] x8 : 0000000000000000 x7 : 0000000000000001 x6 : 00000000000= 00020 [13095.907197] x5 : 0000000000000030 x4 : 00000000fffffffe x3 : 00000000000= 00000 [13095.907623] x2 : ffffac9aba78c1c8 x1 : ffffac9aba76d0a8 x0 : 00000000000= 00008 [13095.908284] Call trace: [13095.908866] hex_dump_to_buffer+0x30c/0x4a0 (P) [13095.909135] print_hex_dump+0xac/0x170 [13095.909179] cper_estatus_print_section+0x90c/0x968 [13095.909336] cper_estatus_print+0xf0/0x158 [13095.909348] __ghes_print_estatus+0xa0/0x148 [13095.909656] ghes_proc+0x1bc/0x220 [13095.909883] ghes_notify_hed+0x5c/0xb8 [13095.909957] notifier_call_chain+0x78/0x148 [13095.910180] blocking_notifier_call_chain+0x4c/0x80 [13095.910246] acpi_hed_notify+0x28/0x40 [13095.910558] acpi_ev_notify_dispatch+0x50/0x80 [13095.910576] acpi_os_execute_deferred+0x24/0x48 [13095.911161] process_one_work+0x15c/0x3b0 [13095.911326] worker_thread+0x2d0/0x400 [13095.911775] kthread+0x148/0x228 [13095.912082] ret_from_fork+0x10/0x20 [13095.912687] Code: 6b14033f 540001ad a94707e2 f100029f (b8747b44) [13095.914085] ---[ end trace 0000000000000000 ]--- Prevent that by taking the actual allocated are into account when checking for CPER length. Signed-off-by: Mauro Carvalho Chehab --- drivers/acpi/apei/ghes.c | 6 +++++- include/acpi/ghes.h | 1 + 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c index fc3f8aed99d5..350f666b7783 100644 --- a/drivers/acpi/apei/ghes.c +++ b/drivers/acpi/apei/ghes.c @@ -29,6 +29,7 @@ #include #include #include +#include #include #include #include @@ -294,6 +295,7 @@ static struct ghes *ghes_new(struct acpi_hest_generic *= generic) error_block_length =3D GHES_ESTATUS_MAX_SIZE; } ghes->estatus =3D kmalloc(error_block_length, GFP_KERNEL); + ghes->error_block_length =3D error_block_length; if (!ghes->estatus) { rc =3D -ENOMEM; goto err_unmap_status_addr; @@ -365,13 +367,15 @@ static int __ghes_check_estatus(struct ghes *ghes, struct acpi_hest_generic_status *estatus) { u32 len =3D cper_estatus_len(estatus); + u32 max_len =3D min(ghes->generic->error_block_length, + ghes->error_block_length); =20 if (len < sizeof(*estatus)) { pr_warn_ratelimited(FW_WARN GHES_PFX "Truncated error status block!\n"); return -EIO; } =20 - if (len > ghes->generic->error_block_length) { + if (!len || len > max_len) { pr_warn_ratelimited(FW_WARN GHES_PFX "Invalid error status block length!= \n"); return -EIO; } diff --git a/include/acpi/ghes.h b/include/acpi/ghes.h index ebd21b05fe6e..5866f50bac0c 100644 --- a/include/acpi/ghes.h +++ b/include/acpi/ghes.h @@ -27,6 +27,7 @@ struct ghes { struct timer_list timer; unsigned int irq; }; + unsigned int error_block_length; struct device *dev; struct list_head elist; }; --=20 2.52.0 From nobody Sat Feb 7 17:55:20 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3E9BA1E515; Tue, 6 Jan 2026 10:01:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767693710; cv=none; b=ProMaKI6OhJBtS9H6V4rWvxFgsU4JF2eSeWexTTGaleWQV/Bxv+JoJhye8h3t7jkoM4QqYU4aDIEv0AsmILmChSsGLqpuQ7y2JPk2grxzspolfz78LSC6R7uzE6D53JFv9UF6Caa3HG1ToyfVylZQ5BZUF0KCcm8nK6k/q4NuYk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767693710; c=relaxed/simple; bh=q8mFlp+bD20oQpXP27iO1F9y1ja315WcWvYnI369uAU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=a543JSlu3NLui6ma0uP5KQVjCPI2+ncXJkeuajiIAQSY+D9/H8yldMa1EoOlKpXwVmyoSYHiGIuz8CUgCApiI0bQ6TVnIU/KLTL9e8Oe54cekQ7mzsY4wd9a9vU20EJsVDNJgpkJugG9JBOpkp2yetNVPkDtFj/VyZFiaonrMC8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=K80Cixn4; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="K80Cixn4" Received: by smtp.kernel.org (Postfix) with ESMTPSA id E2B58C4AF0B; Tue, 6 Jan 2026 10:01:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1767693709; bh=q8mFlp+bD20oQpXP27iO1F9y1ja315WcWvYnI369uAU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=K80Cixn4Z56wRQcOua2QaSeVwjW3wZE0rlkSujXYt6MTjHJ42MVFqeIL/JWVZd2YN jftXumqi6maBTzIEHtnGInc5Wiu7mLAFozv28LIIu18XQqIL0TPWDCK9BF02t2Y1tm M+hmneU/DvRg8lnN6FBY7KFqQM4nFtZd/YvpAJW+VJIUxpWqTErS+Hds+DOVaG9cgm Hc8FGwXVWHMR+bdaDbXPvxoN9X3+JhNAaGTnvAsrwTm1SydfJE38sRsu5joQRhGcHK JnMb4UxRG32YP3nYNGOO5WmVPWxG4HIBOu/EBa+ou6Ro511u1ho8PHACwxwBGEhqe7 5Zt8AVdzIV9sA== Received: from mchehab by mail.kernel.org with local (Exim 4.99) (envelope-from ) id 1vd3sq-000000008ZU-0DvN; Tue, 06 Jan 2026 11:01:48 +0100 From: Mauro Carvalho Chehab To: Ard Biesheuvel Cc: Mauro Carvalho Chehab , linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v4 4/4] efi/cper: don't dump the entire memory region Date: Tue, 6 Jan 2026 11:01:38 +0100 Message-ID: X-Mailer: git-send-email 2.52.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Sender: Mauro Carvalho Chehab The current logic at cper_print_fw_err() doesn't check if the error record length is big enough to handle offset. On a bad firmware, if the ofset is above the actual record, length -=3D offset will underflow, making it dump the entire memory. The end result can be: - the logic taking a lot of time dumping large regions of memory; - data disclosure due to the memory dumps; - an OOPS, if it tries to dump an unmapped memory region. Fix it by checking if the section length is too small before doing a hex dump. Signed-off-by: Mauro Carvalho Chehab --- drivers/firmware/efi/cper.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/firmware/efi/cper.c b/drivers/firmware/efi/cper.c index 88fc0293f876..0e938fc5ccb1 100644 --- a/drivers/firmware/efi/cper.c +++ b/drivers/firmware/efi/cper.c @@ -560,6 +560,11 @@ static void cper_print_fw_err(const char *pfx, } else { offset =3D sizeof(*fw_err); } + if (offset > length) { + printk("%s""error section length is too small: offset=3D%d, length=3D%d\= n", + pfx, offset, length); + return; + } =20 buf +=3D offset; length -=3D offset; --=20 2.52.0