Re: [PATCH 1/2] x86/setup_data: validate indirect entry sizes before dereferencing them

Next message: Prathamesh Deshpande: "[PATCH v5] IB/mlx5: Fix loopback enablement state and resource leaks"
Previous message: Mark Pearson: "Re: [PATCH v7 06/16] platform/x86: lenovo-wmi-other: Limit adding attributes to supported devices"
In reply to: Pengpeng Hou: "[PATCH 2/2] x86/boot/compressed/kaslr: validate indirect setup_data payloads"
Next in thread: Pengpeng Hou: "Re: [PATCH 1/2] x86/setup_data: validate indirect entry sizes before dereferencing them"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Borislav Petkov

Date: Sat Apr 04 2026 - 17:53:52 EST

On Sat, Apr 04, 2026 at 09:48:44PM +0800, Pengpeng Hou wrote:
> Several x86 setup_data consumers treat SETUP_INDIRECT entries as though
> struct setup_indirect is always fully present once the outer setup_data
> header has been read.
>
> That assumption is too strong. A malformed boot-time setup_data entry can
> carry a short or overflowing data->len, causing the kernel to remap less
> than a full indirect header and then dereference indirect->type, addr, or
> len outside the mapped range.

And? Why do we care?

--
Regards/Gruss,
Boris.

https://people.kernel.org/tglx/notes-about-netiquette