acpi/tables: verify MADT entry lengths

Stop parsing ACPI information when encountering a MADT entry with a length value equal to zero, as that could cause an infinite loop. While we are at it, verify that the MADT entry length field matches the expected size of the entry type. Signed-off-by: Carlos López <[email protected]>
00xc · Oct 2, 2023 · 1d3253f · 1d3253f
1 parent fdeaee3
commit 1d3253f
Showing 1 changed file with 11 additions and 5 deletions.
diff --git a/src/acpi/tables.rs b/src/acpi/tables.rs
@@ -289,9 +289,10 @@ pub fn load_acpi_cpu_info(fw_cfg: &FwCfg) -> Result<Vec<ACPICPUInfo>, SvsmError>
             .content_ptr::<RawMADTEntryHeader>(offset)
             .ok_or(SvsmError::Acpi)?;
         let (madt_type, entry_len) = unsafe { ((*entry_ptr).entry_type, (*entry_ptr).entry_len) };
+        let entry_len = usize::from(entry_len);
 
         match madt_type {
-            0 => {
+            0 if entry_len == mem::size_of::<RawMADTEntryLocalApic>() => {
                 let lapic_ptr = apic_table
                     .content_ptr::<RawMADTEntryLocalApic>(offset)
                     .ok_or(SvsmError::Acpi)?;
@@ -301,7 +302,7 @@ pub fn load_acpi_cpu_info(fw_cfg: &FwCfg) -> Result<Vec<ACPICPUInfo>, SvsmError>
                     enabled: (flags & 1) == 1,
                 });
             }
-            9 => {
+            9 if entry_len == mem::size_of::<RawMADTEntryLocalX2Apic>() => {
                 let x2apic_ptr = apic_table
                     .content_ptr::<RawMADTEntryLocalX2Apic>(offset)
                     .ok_or(SvsmError::Acpi)?;
@@ -311,14 +312,19 @@ pub fn load_acpi_cpu_info(fw_cfg: &FwCfg) -> Result<Vec<ACPICPUInfo>, SvsmError>
                     enabled: (flags & 1) == 1,
                 });
             }
+            _ if entry_len == 0 => {
+                log::warn!(
+                    "Found zero-length MADT entry with type {}, stopping",
+                    madt_type
+                );
+                break;
+            }
             _ => {
                 log::info!("Ignoring MADT entry with type {}", madt_type);
             }
         }
 
-        offset = offset
-            .checked_add(entry_len as usize)
-            .ok_or(SvsmError::Acpi)?;
+        offset = offset.checked_add(entry_len).ok_or(SvsmError::Acpi)?;
     }
 
     Ok(cpus)