Change the iteration, to make sure the ACPI_MCFG_ALLOCATION structure we're

reading fits the table we allocated. Linux does the same. I have a laptop which, for some reason, reports a table size of 62 bytes. Clearly that's incorrect, it should be 60 (44 + 16). Because of the stray +2, here the kernel reads past the end of the allocated buffer, hits an unmapped VA, and panics at boot time. So the laptop can't boot. Now it boots fine.
2018-04-06 17:30:25 +00:00 · 2018-04-06 17:30:25 +00:00 · 144c24be17
parent 40a6999954
commit 144c24be17
1 changed files with 4 additions and 3 deletions
--- a/sys/dev/acpi/acpi_mcfg.c
+++ b/sys/dev/acpi/acpi_mcfg.c
@ -1,4 +1,4 @@
-/*	$NetBSD: acpi_mcfg.c,v 1.5 2018/02/28 05:50:06 msaitoh Exp $	*/
+/*	$NetBSD: acpi_mcfg.c,v 1.6 2018/04/06 17:30:25 maxv Exp $	*/

 /*-
 * Copyright (C) 2015 NONAKA Kimihiro <nonaka@NetBSD.org>
@ -26,7 +26,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: acpi_mcfg.c,v 1.5 2018/02/28 05:50:06 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: acpi_mcfg.c,v 1.6 2018/04/06 17:30:25 maxv Exp $");

 #include <sys/param.h>
 #include <sys/device.h>
@ -287,7 +287,8 @@ acpimcfg_probe(struct acpi_softc *sc)
 	nsegs = 0;
 	offset = sizeof(ACPI_TABLE_MCFG);
 	ama = ACPI_ADD_PTR(ACPI_MCFG_ALLOCATION, mcfg, offset);
-	for (i = 0; offset < mcfg->Header.Length; i++) {
+	for (i = 0; offset + sizeof(ACPI_MCFG_ALLOCATION) <=
+	    mcfg->Header.Length; i++) {
 		aprint_debug_dev(sc->sc_dev,
 		    "MCFG: segment %d, bus %d-%d, address 0x%016" PRIx64 "\n",
 		    ama->PciSegment, ama->StartBusNumber, ama->EndBusNumber,