Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Avoid subobject buffer overflow when validating RSDP signature
Since the Signature member is accessed through an ACPI_TABLE_HEADER, the pointer to it is only to a 4-char array, and so trying to read past the 4th character, as will be done when it is an RSDP, reads beyond the bounds of the accessed member. On CHERI, and thus Arm's experimental Morello prototype architecture, pointers are represented as capabilities, which are unforgeable bounded pointers, providing always-on fine-grained spatial memory safety. By default, subobject bounds enforcement is not enabled, only bounds on allocations, but it is enabled in the CheriBSD (a port of FreeBSD) kernel as intra-object overflow attacks are common on operating system kernels, and so this overflow is detected there and traps.
- Loading branch information