From nobody Mon Feb 9 01:44:14 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4BBEA4AA37B; Thu, 8 Jan 2026 11:35:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767872137; cv=none; b=cWNiPcTpEAtCSzoE9koO74n983VGKeRJcvVkgxCegaFRI21qOeAdUWs9KDdGkISqkd7s87OYwqfLJwthUb+CFoGiqjsKoInCGIefzlgZFXA1hsO9/C4u3bYs35eR32ErG/gT5DyKz3G73RrUeYI6g7u8f7GepOmI0RDvk8Ju71s= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767872137; c=relaxed/simple; bh=ka2CWUl8OjHLpevWXyf+gxSz2g5ApOySVjvxxdnjmW4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=OnSwiaOoaBD8L42iWn0ItgF5eu/O+YW8eHBOYtaRJok2DYkyVrKKNO+GiOWl+hWuxqLjNmQGaEW4h+IS73vYESRgqshvnt9jmqHSzGQxAWVqpUNTBzkaV6pG1xnz/972bH8foxL7WmBL37ne2LWIVMonkzLASe2Pp9yBMH35Zv4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=Ir9KmXJ4; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="Ir9KmXJ4" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 68795C16AAE; Thu, 8 Jan 2026 11:35:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1767872136; bh=ka2CWUl8OjHLpevWXyf+gxSz2g5ApOySVjvxxdnjmW4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Ir9KmXJ4OXzHvwSx7fODyzZZjfrbNUvHgP5vb4+IF9Vnc9j7xBMBcty8Bi3IQCB1y pxJCq2Y/6TbP6Loi1czf3Mc+VeHG6SzYqaxDLXqsLgQyinKM6kVC21JXwI43yoJmNr heutoW/6HPfeUlO3Tlp5yLBMym19ZI3ICLECA2negSB+OdlJ/lSA8j/kAvIb821QuJ iFmj+DWPwndlWDz5tq7mfaBfhjxWYyxRaVA7CczLb4nxAb6BIAKaEwhqAYKHgPe+6x dfhFO/vv1nFiU9UDewVC1bvDpMq//ozGOYNuQWVnJR4XV3HKjOJ54JXcdgMqQE2cHG plk8904CRPQng== Received: from mchehab by mail.kernel.org with local (Exim 4.99) (envelope-from ) id 1vdoIf-000000033y8-48sw; Thu, 08 Jan 2026 12:35:33 +0100 From: Mauro Carvalho Chehab To: "Rafael J. Wysocki" Cc: Mauro Carvalho Chehab , acpica-devel@lists.linux.dev, linux-acpi@vger.kernel.org, linux-edac@vger.kernel.org, linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org, Ankit Agrawal , Borislav Petkov , Breno Leitao , Hanjun Guo , Huang Yiwei , Jason Tian , Jonathan Cameron , Len Brown , Mauro Carvalho Chehab , Shuai Xue , Smita Koralahalli , Tony Luck Subject: [PATCH v6 1/4] apei/ghes: ARM processor Error: don't go past allocated memory Date: Thu, 8 Jan 2026 12:35:03 +0100 Message-ID: <7fd9f38413be05ee2d7cfdb0dc31ea2274cf1a54.1767871950.git.mchehab+huawei@kernel.org> X-Mailer: git-send-email 2.52.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Sender: Mauro Carvalho Chehab If the BIOS generates a very small ARM Processor Error, or an incomplete one, the current logic will fail to deferrence err->section_length and ctx_info->size Add checks to avoid that. With such changes, such GHESv2 records won't cause OOPSes like this: [ 1.492129] Internal error: Oops: 0000000096000005 [#1] SMP [ 1.495449] Modules linked in: [ 1.495820] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not tainted 6.18.0-rc= 1-00017-gabadcc3553dd-dirty #18 PREEMPT [ 1.496125] Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 02/02= /2022 [ 1.496433] Workqueue: kacpi_notify acpi_os_execute_deferred [ 1.496967] pstate: 814000c5 (Nzcv daIF +PAN -UAO -TCO +DIT -SSBS BTYPE= =3D--) [ 1.497199] pc : log_arm_hw_error+0x5c/0x200 [ 1.497380] lr : ghes_handle_arm_hw_error+0x94/0x220 0xffff8000811c5324 is in log_arm_hw_error (../drivers/ras/ras.c:75). 70 err_info =3D (struct cper_arm_err_info *)(err + 1); 71 ctx_info =3D (struct cper_arm_ctx_info *)(err_info + err->err_info_num); 72 ctx_err =3D (u8 *)ctx_info; 73 74 for (n =3D 0; n < err->context_info_num; n++) { 75 sz =3D sizeof(struct cper_arm_ctx_info) + ctx_info->size; 76 ctx_info =3D (struct cper_arm_ctx_info *)((long)ctx_info + sz); 77 ctx_len +=3D sz; 78 } 79 and similar ones while trying to access section_length on an error dump with too small size. Signed-off-by: Mauro Carvalho Chehab Reviewed-by: Jonathan Cameron Acked-by: Ard Biesheuvel Reviewed-by: Hanjun Guo --- drivers/acpi/apei/ghes.c | 32 ++++++++++++++++++++++++++++---- drivers/ras/ras.c | 6 +++++- 2 files changed, 33 insertions(+), 5 deletions(-) diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c index 0dc767392a6c..fc3f8aed99d5 100644 --- a/drivers/acpi/apei/ghes.c +++ b/drivers/acpi/apei/ghes.c @@ -552,21 +552,45 @@ static bool ghes_handle_arm_hw_error(struct acpi_hest= _generic_data *gdata, { struct cper_sec_proc_arm *err =3D acpi_hest_get_payload(gdata); int flags =3D sync ? MF_ACTION_REQUIRED : 0; + int length =3D gdata->error_data_length; char error_type[120]; bool queued =3D false; int sec_sev, i; char *p; =20 sec_sev =3D ghes_severity(gdata->error_severity); - log_arm_hw_error(err, sec_sev); + if (length >=3D sizeof(*err)) { + log_arm_hw_error(err, sec_sev); + } else { + pr_warn(FW_BUG "arm error length: %d\n", length); + pr_warn(FW_BUG "length is too small\n"); + pr_warn(FW_BUG "firmware-generated error record is incorrect\n"); + return false; + } + if (sev !=3D GHES_SEV_RECOVERABLE || sec_sev !=3D GHES_SEV_RECOVERABLE) return false; =20 p =3D (char *)(err + 1); + length -=3D sizeof(err); + for (i =3D 0; i < err->err_info_num; i++) { - struct cper_arm_err_info *err_info =3D (struct cper_arm_err_info *)p; - bool is_cache =3D err_info->type & CPER_ARM_CACHE_ERROR; - bool has_pa =3D (err_info->validation_bits & CPER_ARM_INFO_VALID_PHYSICA= L_ADDR); + struct cper_arm_err_info *err_info; + bool is_cache, has_pa; + + /* Ensure we have enough data for the error info header */ + if (length < sizeof(*err_info)) + break; + + err_info =3D (struct cper_arm_err_info *)p; + + /* Validate the claimed length before using it */ + length -=3D err_info->length; + if (length < 0) + break; + + is_cache =3D err_info->type & CPER_ARM_CACHE_ERROR; + has_pa =3D (err_info->validation_bits & CPER_ARM_INFO_VALID_PHYSICAL_ADD= R); =20 /* * The field (err_info->error_info & BIT(26)) is fixed to set to diff --git a/drivers/ras/ras.c b/drivers/ras/ras.c index 2a5b5a9fdcb3..03df3db62334 100644 --- a/drivers/ras/ras.c +++ b/drivers/ras/ras.c @@ -72,7 +72,11 @@ void log_arm_hw_error(struct cper_sec_proc_arm *err, con= st u8 sev) ctx_err =3D (u8 *)ctx_info; =20 for (n =3D 0; n < err->context_info_num; n++) { - sz =3D sizeof(struct cper_arm_ctx_info) + ctx_info->size; + sz =3D sizeof(struct cper_arm_ctx_info); + + if (sz + (long)ctx_info - (long)err >=3D err->section_length) + sz +=3D ctx_info->size; + ctx_info =3D (struct cper_arm_ctx_info *)((long)ctx_info + sz); ctx_len +=3D sz; } --=20 2.52.0 From nobody Mon Feb 9 01:44:14 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1CC5D4AA361; Thu, 8 Jan 2026 11:35:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767872137; cv=none; b=s/hRgMUUvrZLHVFYGJSVHjhBj+VQ1loP4bowYSv7Mq4mH26PGGgI8ezDFxq75GcNqINTa3UwCDlmtHNM0qxlO8fFOgWy6X1gu6VRR+2GT/oAJiXwBp9lQiePPmySY4dF5LuNPtHe5C5fP0oBw4u8ZwiiTJ0t7OE90zXxQSJMdBQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767872137; c=relaxed/simple; bh=3Avwk9ah4fvsu5pW2Hk/IxHeMU3rEwQMuWdy8ZlvDv0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=Kq/v9o8kSbKahxVVm0jwj/cQP8jIM4mJnBsCV57+77aITzJnnHz7S+GxwmJv4mDNWo9XIWVyvAfErFSVfzkXgOeHJC6YzNGfQ328wQ/ZmBtHE76Bh7nVsKj/lZ64g9yn1u0QhD5+tZ7PbnpBGbDWDYJfdGbV6vLdCRNX8VEtMPE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=T9q9GAk9; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="T9q9GAk9" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6C507C19424; Thu, 8 Jan 2026 11:35:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1767872136; bh=3Avwk9ah4fvsu5pW2Hk/IxHeMU3rEwQMuWdy8ZlvDv0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=T9q9GAk9Ua2Cg3c0vHldsZn8mjz7hkO461+3EBeFgmDBayLGRmkOex4SP/PQZ0/7r YFvYXcBfWNbeOSo0WyXfrJSxi63WIlwtXCz1C7yZXnX3TceaxSWcQUSlk9v9NqFXOG bF7nkXo7JQ38n7giapUDO43LQ/N89Y9lYWnMJymadVQTYKP6XEdUF4jWXy2CtzeZBa JKkK03+lgTJ/y1J1Ll0KiiS5FtVAJw38/oIyNcNJvlyDRHLpzuYw7eASyTB59ngb5g tttYmZ88XAmrBemBmNgzi5I5Hw3JQrXwemW5DERC3iwQoL+VKCvHnGxbFSXH+ScpPt oE6ILYQsRm5xw== Received: from mchehab by mail.kernel.org with local (Exim 4.99) (envelope-from ) id 1vdoIg-000000033yC-049Z; Thu, 08 Jan 2026 12:35:34 +0100 From: Mauro Carvalho Chehab To: "Rafael J. Wysocki" , Ard Biesheuvel Cc: Mauro Carvalho Chehab , acpica-devel@lists.linux.dev, linux-acpi@vger.kernel.org, linux-edac@vger.kernel.org, linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org, Dan Williams , Dave Jiang , Ira Weiny , Jonathan Cameron , Smita Koralahalli Subject: [PATCH v6 2/4] efi/cper: don't go past the ARM processor CPER record buffer Date: Thu, 8 Jan 2026 12:35:04 +0100 Message-ID: <41cd9f6b3ace3cdff7a5e864890849e4b1c58b63.1767871950.git.mchehab+huawei@kernel.org> X-Mailer: git-send-email 2.52.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Sender: Mauro Carvalho Chehab There's a logic inside ghes/cper to detect if the section_length is too small, but it doesn't detect if it is too big. Currently, if the firmware receives an ARM processor CPER record stating that a section length is big, kernel will blindly trust section_length, producing a very long dump. For instance, a 67 bytes record with ERR_INFO_NUM set 46198 and section length set to 854918320 would dump a lot of data going a way past the firmware memory-mapped area. Fix it by adding a logic to prevent it to go past the buffer if ERR_INFO_NUM is too big, making it report instead: [Hardware Error]: Hardware error from APEI Generic Hardware Error Source: 1 [Hardware Error]: event severity: recoverable [Hardware Error]: Error 0, type: recoverable [Hardware Error]: section_type: ARM processor error [Hardware Error]: MIDR: 0xff304b2f8476870a [Hardware Error]: section length: 854918320, CPER size: 67 [Hardware Error]: section length is too big [Hardware Error]: firmware-generated error record is incorrect [Hardware Error]: ERR_INFO_NUM is 46198 Signed-off-by: Mauro Carvalho Chehab Reviewed-by: Jonathan Cameron Acked-by: Ard Biesheuvel Reviewed-by: Hanjun Guo --- drivers/firmware/efi/cper-arm.c | 12 ++++++++---- drivers/firmware/efi/cper.c | 3 ++- include/linux/cper.h | 3 ++- 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/drivers/firmware/efi/cper-arm.c b/drivers/firmware/efi/cper-ar= m.c index 76542a53e202..b21cb1232d82 100644 --- a/drivers/firmware/efi/cper-arm.c +++ b/drivers/firmware/efi/cper-arm.c @@ -226,7 +226,8 @@ static void cper_print_arm_err_info(const char *pfx, u3= 2 type, } =20 void cper_print_proc_arm(const char *pfx, - const struct cper_sec_proc_arm *proc) + const struct cper_sec_proc_arm *proc, + u32 length) { int i, len, max_ctx_type; struct cper_arm_err_info *err_info; @@ -238,9 +239,12 @@ void cper_print_proc_arm(const char *pfx, =20 len =3D proc->section_length - (sizeof(*proc) + proc->err_info_num * (sizeof(*err_info))); - if (len < 0) { - printk("%ssection length: %d\n", pfx, proc->section_length); - printk("%ssection length is too small\n", pfx); + + if (len < 0 || proc->section_length > length) { + printk("%ssection length: %d, CPER size: %d\n", + pfx, proc->section_length, length); + printk("%ssection length is too %s\n", pfx, + (len < 0) ? "small" : "big"); printk("%sfirmware-generated error record is incorrect\n", pfx); printk("%sERR_INFO_NUM is %d\n", pfx, proc->err_info_num); return; diff --git a/drivers/firmware/efi/cper.c b/drivers/firmware/efi/cper.c index 0232bd040f61..88fc0293f876 100644 --- a/drivers/firmware/efi/cper.c +++ b/drivers/firmware/efi/cper.c @@ -659,7 +659,8 @@ cper_estatus_print_section(const char *pfx, struct acpi= _hest_generic_data *gdata =20 printk("%ssection_type: ARM processor error\n", newpfx); if (gdata->error_data_length >=3D sizeof(*arm_err)) - cper_print_proc_arm(newpfx, arm_err); + cper_print_proc_arm(newpfx, arm_err, + gdata->error_data_length); else goto err_section_too_small; #endif diff --git a/include/linux/cper.h b/include/linux/cper.h index 5b1236d8c65b..440b35e459e5 100644 --- a/include/linux/cper.h +++ b/include/linux/cper.h @@ -595,7 +595,8 @@ void cper_mem_err_pack(const struct cper_sec_mem_err *, const char *cper_mem_err_unpack(struct trace_seq *, struct cper_mem_err_compact *); void cper_print_proc_arm(const char *pfx, - const struct cper_sec_proc_arm *proc); + const struct cper_sec_proc_arm *proc, + u32 length); void cper_print_proc_ia(const char *pfx, const struct cper_sec_proc_ia *proc); int cper_mem_err_location(struct cper_mem_err_compact *mem, char *msg); --=20 2.52.0 From nobody Mon Feb 9 01:44:14 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0FDB94AA356; Thu, 8 Jan 2026 11:35:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767872137; cv=none; b=H+ovyWEt+VPmpj35b1cEyjBmwt4XDmTS/5yjCBKl3xKjsQntpxpPOexICEojpNnRRps7fl7U1+FspBz2bmlvBNxZz/FCxJFlJDRwq8wL7kbBoDVaAqIoF+ZP5d76A/9v/RWrg1NL7eAPTx3SfBSBePYeSC9Jv8bawEJuV2j2HQ0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767872137; c=relaxed/simple; bh=UsLabrNWxxt0g8jgL/ao4xZ1pvqAdssx0fpURxqyV/0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=ZkdaShYxXwiI4Kml1duvQ8BJ2kur0bbJfRtfF6l1uO08VNIjNa/jcvJSkqp5fhnhcLxOQDf4mLrvKvdF1uE8OXtV00A19xwOORarnxNkxasyugM8WFt46pjHnui7b2/pt+pa1+C+nbBPSdbxk8UNUtaf6/TuUbLE6nGvZc+tdd4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=Ds7h8aNG; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="Ds7h8aNG" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 66AF2C116C6; Thu, 8 Jan 2026 11:35:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1767872136; bh=UsLabrNWxxt0g8jgL/ao4xZ1pvqAdssx0fpURxqyV/0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Ds7h8aNGUtynDJd1T9e/SEpaWg3OB/3N4AT/40HuDCCMCkKXTkjBOftGUZaAEaQU8 HDVJ8ByRvKf/KirtpMTvOVGhFIauUYVEPOoBL83ovLMsGvqICbl+htLZs5gk94jWd2 RsozKaQdGSI1p+mex9ukCYROSQYeRTBVzLf7OWMJKxdxZCQB84Hin+hcok0vK1ksgn Js/VbE5BQrHkrtlSWU972pxxVTof7CKiO+Pcsp4b26b2BgnHcJepEB1fNNPDvJxlv/ tGMU3U1DlVsM9dWzfuKU/v4kNvahQcdiiTh3by5tmWpgyX4J0UukLmW7JZBKo4V54r X9Y2ODk5CnM3Q== Received: from mchehab by mail.kernel.org with local (Exim 4.99) (envelope-from ) id 1vdoIg-000000033yG-0Bue; Thu, 08 Jan 2026 12:35:34 +0100 From: Mauro Carvalho Chehab To: "Rafael J. Wysocki" Cc: Mauro Carvalho Chehab , acpica-devel@lists.linux.dev, linux-acpi@vger.kernel.org, linux-edac@vger.kernel.org, linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org, Ankit Agrawal , Borislav Petkov , Breno Leitao , Hanjun Guo , Jason Tian , Jonathan Cameron , Len Brown , Mauro Carvalho Chehab , Robert Moore , Shuai Xue , Smita Koralahalli , Tony Luck Subject: [PATCH v6 3/4] apei/ghes: ensure that won't go past CPER allocated record Date: Thu, 8 Jan 2026 12:35:05 +0100 Message-ID: <4e70310a816577fabf37d94ed36cde4ad62b1e0a.1767871950.git.mchehab+huawei@kernel.org> X-Mailer: git-send-email 2.52.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Sender: Mauro Carvalho Chehab The logic at ghes_new() prevents allocating too large records, by checking if they're bigger than GHES_ESTATUS_MAX_SIZE (currently, 64KB). Yet, the allocation is done with the actual number of pages from the CPER bios table location, which can be smaller. Yet, a bad firmware could send data with a different size, which might be bigger than the allocated memory, causing an OOPS: Unable to handle kernel paging request at virtual address fff00000f9b40= 000 Mem abort info: ESR =3D 0x0000000096000007 EC =3D 0x25: DABT (current EL), IL =3D 32 bits SET =3D 0, FnV =3D 0 EA =3D 0, S1PTW =3D 0 FSC =3D 0x07: level 3 translation fault Data abort info: ISV =3D 0, ISS =3D 0x00000007, ISS2 =3D 0x00000000 CM =3D 0, WnR =3D 0, TnD =3D 0, TagAccess =3D 0 GCS =3D 0, Overlay =3D 0, DirtyBit =3D 0, Xs =3D 0 swapper pgtable: 4k pages, 52-bit VAs, pgdp=3D000000008ba16000 [fff00000f9b40000] pgd=3D180000013ffff403, p4d=3D180000013fffe403, pud= =3D180000013f85b403, pmd=3D180000013f68d403, pte=3D0000000000000000 Internal error: Oops: 0000000096000007 [#1] SMP Modules linked in: CPU: 0 UID: 0 PID: 303 Comm: kworker/0:1 Not tainted 6.19.0-rc1-00002-g= da407d200220 #34 PREEMPT Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 02/02/2022 Workqueue: kacpi_notify acpi_os_execute_deferred pstate: 214020c5 (nzCv daIF +PAN -UAO -TCO +DIT -SSBS BTYPE=3D--) pc : hex_dump_to_buffer+0x30c/0x4a0 lr : hex_dump_to_buffer+0x328/0x4a0 sp : ffff800080e13880 x29: ffff800080e13880 x28: ffffac9aba86f6a8 x27: 0000000000000083 x26: fff00000f9b3fffc x25: 0000000000000004 x24: 0000000000000004 x23: ffff800080e13905 x22: 0000000000000010 x21: 0000000000000083 x20: 0000000000000001 x19: 0000000000000008 x18: 0000000000000010 x17: 0000000000000001 x16: 00000007c7f20fec x15: 0000000000000020 x14: 0000000000000008 x13: 0000000000081020 x12: 0000000000000008 x11: ffff800080e13905 x10: ffff800080e13988 x9 : 0000000000000000 x8 : 0000000000000000 x7 : 0000000000000001 x6 : 0000000000000020 x5 : 0000000000000030 x4 : 00000000fffffffe x3 : 0000000000000000 x2 : ffffac9aba78c1c8 x1 : ffffac9aba76d0a8 x0 : 0000000000000008 Call trace: hex_dump_to_buffer+0x30c/0x4a0 (P) print_hex_dump+0xac/0x170 cper_estatus_print_section+0x90c/0x968 cper_estatus_print+0xf0/0x158 __ghes_print_estatus+0xa0/0x148 ghes_proc+0x1bc/0x220 ghes_notify_hed+0x5c/0xb8 notifier_call_chain+0x78/0x148 blocking_notifier_call_chain+0x4c/0x80 acpi_hed_notify+0x28/0x40 acpi_ev_notify_dispatch+0x50/0x80 acpi_os_execute_deferred+0x24/0x48 process_one_work+0x15c/0x3b0 worker_thread+0x2d0/0x400 kthread+0x148/0x228 ret_from_fork+0x10/0x20 Code: 6b14033f 540001ad a94707e2 f100029f (b8747b44) ---[ end trace 0000000000000000 ]--- Prevent that by taking the actual allocated are into account when checking for CPER length. Signed-off-by: Mauro Carvalho Chehab Reviewed-by: Jonathan Cameron Acked-by: Ard Biesheuvel Reviewed-by: Hanjun Guo --- drivers/acpi/apei/ghes.c | 6 +++++- include/acpi/ghes.h | 1 + 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c index fc3f8aed99d5..77ea7a5b761f 100644 --- a/drivers/acpi/apei/ghes.c +++ b/drivers/acpi/apei/ghes.c @@ -29,6 +29,7 @@ #include #include #include +#include #include #include #include @@ -294,6 +295,7 @@ static struct ghes *ghes_new(struct acpi_hest_generic *= generic) error_block_length =3D GHES_ESTATUS_MAX_SIZE; } ghes->estatus =3D kmalloc(error_block_length, GFP_KERNEL); + ghes->estatus_length =3D error_block_length; if (!ghes->estatus) { rc =3D -ENOMEM; goto err_unmap_status_addr; @@ -365,13 +367,15 @@ static int __ghes_check_estatus(struct ghes *ghes, struct acpi_hest_generic_status *estatus) { u32 len =3D cper_estatus_len(estatus); + u32 max_len =3D min(ghes->generic->error_block_length, + ghes->estatus_length); =20 if (len < sizeof(*estatus)) { pr_warn_ratelimited(FW_WARN GHES_PFX "Truncated error status block!\n"); return -EIO; } =20 - if (len > ghes->generic->error_block_length) { + if (!len || len > max_len) { pr_warn_ratelimited(FW_WARN GHES_PFX "Invalid error status block length!= \n"); return -EIO; } diff --git a/include/acpi/ghes.h b/include/acpi/ghes.h index ebd21b05fe6e..93db60da5934 100644 --- a/include/acpi/ghes.h +++ b/include/acpi/ghes.h @@ -21,6 +21,7 @@ struct ghes { struct acpi_hest_generic_v2 *generic_v2; }; struct acpi_hest_generic_status *estatus; + unsigned int estatus_length; unsigned long flags; union { struct list_head list; --=20 2.52.0 From nobody Mon Feb 9 01:44:14 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0F779495529; Thu, 8 Jan 2026 11:35:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767872137; cv=none; b=g/lvxJQZ0BGXnuhSjO2XdbclyETcXL4Y3LLXAVatBhL6yBF3OgqxT9PutoymRQVrn95uwIM8ou9Bj5F/SGfxV8VoiWN4NDJ20s4Zm9wKFg+0hLcjJUZ8LhyQGqjVEpU40KjC9sxe514WnNzSEPQa6X2s6iLH5vtist9HV1Vk3vU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767872137; c=relaxed/simple; bh=7ClOr2/SXZvL7/2ZcJPhfqf9+Zeyoc7xjpGBwuIaGtc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=e5Xd3CSEq63EAVZHujxCtJ6kbZx4QdBpyLao4gFatn2i+AccSyXGrrRvmg6crJDxmqweo43saE3GPvF96xoG4P+vgPu/NVZ8hluyF/QL/fwxs8Mglr/uici61zu9nnumduCPYgAkG0C7OaTfCOYdQ+53U2jd1VKnuq9/erhBrQY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=R3xSQKI6; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="R3xSQKI6" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6E93DC19421; Thu, 8 Jan 2026 11:35:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1767872136; bh=7ClOr2/SXZvL7/2ZcJPhfqf9+Zeyoc7xjpGBwuIaGtc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=R3xSQKI6e8ONZTUffaDWdBa9taK+4xZA1ufJmKzvcNUEqrzOQaXb5uEM5t6Tvp21j Aq7c38CL2HsuJOTaCF0ZwnsxHm9yO8nJn7SoZWy5l6HwDVL9rK42gbhmqpoA2fcCnj o8y3O0SX9RVpLIdEn51RkhxbJvcF+v1QvmqFd8lgUyz36aL2C2f6nAr2sEJ5fQqwfQ 6k3CqTc6o+1Lr2LvkMjgy6SchZqhoiR4tAedDRJhZNLS09baRdKLyO6/UsmoOGez7W jlYZ2cBWqLsvMgk2d45ShitMo5kVU+toIQVJrzzuxyRo+VC1+3EAceWpg4Ius6rBfd Blq6nMhfLMq1A== Received: from mchehab by mail.kernel.org with local (Exim 4.99) (envelope-from ) id 1vdoIg-000000033yK-0JFk; Thu, 08 Jan 2026 12:35:34 +0100 From: Mauro Carvalho Chehab To: "Rafael J. Wysocki" , Ard Biesheuvel Cc: Mauro Carvalho Chehab , acpica-devel@lists.linux.dev, linux-acpi@vger.kernel.org, linux-edac@vger.kernel.org, linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org, Jonathan Cameron Subject: [PATCH v6 4/4] efi/cper: don't dump the entire memory region Date: Thu, 8 Jan 2026 12:35:06 +0100 Message-ID: <1752b5ba63a3e2f148ddee813b36c996cc617e86.1767871950.git.mchehab+huawei@kernel.org> X-Mailer: git-send-email 2.52.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Sender: Mauro Carvalho Chehab The current logic at cper_print_fw_err() doesn't check if the error record length is big enough to handle offset. On a bad firmware, if the ofset is above the actual record, length -=3D offset will underflow, making it dump the entire memory. The end result can be: - the logic taking a lot of time dumping large regions of memory; - data disclosure due to the memory dumps; - an OOPS, if it tries to dump an unmapped memory region. Fix it by checking if the section length is too small before doing a hex dump. Signed-off-by: Mauro Carvalho Chehab Reviewed-by: Jonathan Cameron Acked-by: Ard Biesheuvel Reviewed-by: Hanjun Guo --- drivers/firmware/efi/cper.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/firmware/efi/cper.c b/drivers/firmware/efi/cper.c index 88fc0293f876..0e938fc5ccb1 100644 --- a/drivers/firmware/efi/cper.c +++ b/drivers/firmware/efi/cper.c @@ -560,6 +560,11 @@ static void cper_print_fw_err(const char *pfx, } else { offset =3D sizeof(*fw_err); } + if (offset > length) { + printk("%s""error section length is too small: offset=3D%d, length=3D%d\= n", + pfx, offset, length); + return; + } =20 buf +=3D offset; length -=3D offset; --=20 2.52.0