Kernel: Validate ACPI checksums (and skip invalid tables)

Author: implicitfield

Kernel/Arch/x86_64/Firmware/ACPI.cpp

@@ -6,25 +6,66 @@
 
 #include <Kernel/Arch/x86_64/Firmware/ACPI.h>
 #include <Kernel/Arch/x86_64/Firmware/PCBIOS/Mapper.h>
+#include <Kernel/Firmware/ACPI/Definitions.h>
 #include <Kernel/Memory/MemoryManager.h>
 
 namespace Kernel::ACPI::StaticParsing {
 
+static bool is_rsdp_valid(u8 const* rsdp, size_t region_size)
+{
+    if (region_size < sizeof(Structures::RSDPDescriptor))
+        return false;
+
+    u8 revision = reinterpret_cast<Structures::RSDPDescriptor const*>(rsdp)->revision;
+
+    u8 checksum = 0;
+    for (size_t i = 0; i < sizeof(Structures::RSDPDescriptor); ++i)
+        checksum += rsdp[i];
+
+    if (checksum != 0)
+        return false;
+
+    if (revision == 0)
+        // Checksum matched and there's nothing more to check.
+        return true;
+
+    if (region_size < sizeof(Structures::RSDPDescriptor20))
+        return false;
+
+    checksum = 0;
+    for (size_t i = 0; i < sizeof(Structures::RSDPDescriptor20); ++i)
+        checksum += rsdp[i];
+    return checksum == 0;
+}
+
 // https://uefi.org/specs/ACPI/6.5/05_ACPI_Software_Programming_Model.html#finding-the-rsdp-on-ia-pc-systems
 Optional<PhysicalAddress> find_rsdp_in_ia_pc_specific_memory_locations()
 {
     constexpr auto signature = "RSD PTR "sv;
+
+    auto locate_rsdp = [&signature](Memory::MappedROM mapping) -> Optional<PhysicalAddress> {
+        while (true) {
+            u8 const* rsdp = mapping.pointer_to_chunk_starting_with(signature, 16);
+            if (!rsdp)
+                return {};
+            if (is_rsdp_valid(rsdp, static_cast<size_t>(mapping.end() - rsdp)))
+                return mapping.paddr_of(rsdp);
+            mapping.offset = (mapping.paddr_of(rsdp).get() - mapping.paddr.get()) + signature.length();
+            mapping.size -= static_cast<size_t>(rsdp - mapping.base()) + signature.length();
+        }
+    };
+
     auto ebda_or_error = map_ebda();
     if (!ebda_or_error.is_error()) {
-        auto rsdp = ebda_or_error.value().find_chunk_starting_with(signature, 16);
-        if (rsdp.has_value())
-            return rsdp;
+        auto maybe_rsdp = locate_rsdp(ebda_or_error.release_value());
+        if (maybe_rsdp.has_value())
+            return maybe_rsdp.value();
     }
     auto bios_or_error = map_bios();
     if (!bios_or_error.is_error()) {
-        auto rsdp = bios_or_error.value().find_chunk_starting_with(signature, 16);
-        if (rsdp.has_value())
-            return rsdp;
+        auto maybe_rsdp = locate_rsdp(bios_or_error.release_value());
+        if (maybe_rsdp.has_value())
+            return maybe_rsdp.value();
     }
 
     // On some systems the RSDP may be located in ACPI NVS or reclaimable memory regions
@@ -52,9 +93,9 @@ Optional<PhysicalAddress> find_rsdp_in_ia_pc_specific_memory_locations()
         mapping.size = memory_range.length;
         mapping.paddr = memory_range.start;
 
-        auto rsdp = mapping.find_chunk_starting_with(signature, 16);
-        if (rsdp.has_value())
-            return rsdp;
+        auto maybe_rsdp = locate_rsdp(move(mapping));
+        if (maybe_rsdp.has_value())
+            return maybe_rsdp.value();
     }
 
     return {};

Kernel/Firmware/ACPI/StaticParsing.cpp

@@ -4,6 +4,7 @@
  * SPDX-License-Identifier: BSD-2-Clause
  */
 
+#include <AK/ByteReader.h>
 #include <Kernel/Firmware/ACPI/Definitions.h>
 #include <Kernel/Firmware/ACPI/StaticParsing.h>
 #include <Kernel/Library/StdLib.h>
@@ -31,16 +32,33 @@ Optional<PhysicalAddress> find_rsdp()
 
 static bool match_table_signature(PhysicalAddress table_header, StringView signature)
 {
-    // FIXME: There's no validation of ACPI tables here. Use the checksum to validate the tables.
     VERIFY(signature.length() == 4);
 
-    auto table = Memory::map_typed<Structures::RSDT>(table_header).release_value_but_fixme_should_propagate_errors();
-    return !strncmp(table->h.sig, signature.characters_without_null_termination(), 4);
+    auto check_in_region = [&](size_t length, auto&& callback) -> bool {
+        auto region = Memory::map_typed<u8 const>(table_header, length).release_value_but_fixme_should_propagate_errors();
+        return callback(region.ptr());
+    };
+
+    u32 length = 0;
+    auto check_signature_and_get_length = [&](u8 const* base) -> bool {
+        if (memcmp(reinterpret_cast<char const*>(base), signature.characters_without_null_termination(), 4) != 0)
+            return false;
+        length = ByteReader::load32(base + 4);
+        return true;
+    };
+
+    auto validate_checksum = [&](u8 const* base) -> bool {
+        u8 checksum = 0;
+        for (u32 i = 0; i < length; ++i)
+            checksum += base[i];
+        return checksum == 0;
+    };
+
+    return check_in_region(8, check_signature_and_get_length) && check_in_region(length, validate_checksum);
 }
 
 ErrorOr<Optional<PhysicalAddress>> search_table_in_xsdt(PhysicalAddress xsdt_address, StringView signature)
 {
-    // FIXME: There's no validation of ACPI tables here. Use the checksum to validate the tables.
     VERIFY(signature.length() == 4);
 
     auto xsdt = TRY(Memory::map_typed<Structures::XSDT>(xsdt_address));
@@ -54,7 +72,6 @@ ErrorOr<Optional<PhysicalAddress>> search_table_in_xsdt(PhysicalAddress xsdt_add
 
 ErrorOr<Optional<PhysicalAddress>> find_table(PhysicalAddress rsdp_address, StringView signature)
 {
-    // FIXME: There's no validation of ACPI tables here. Use the checksum to validate the tables.
     VERIFY(signature.length() == 4);
 
     auto rsdp = TRY(Memory::map_typed<Structures::RSDPDescriptor20>(rsdp_address));
@@ -72,7 +89,6 @@ ErrorOr<Optional<PhysicalAddress>> find_table(PhysicalAddress rsdp_address, Stri
 
 ErrorOr<Optional<PhysicalAddress>> search_table_in_rsdt(PhysicalAddress rsdt_address, StringView signature)
 {
-    // FIXME: There's no validation of ACPI tables here. Use the checksum to validate the tables.
     VERIFY(signature.length() == 4);
 
     auto rsdt = TRY(Memory::map_typed<Structures::RSDT>(rsdt_address));