[linux] Validate length of ACPI table read from sysfs

Consumers of acpi_find() will assume that returned structures include
a valid table header and that the length in the table header is
correct.  These assumptions are necessary when dealing with raw ACPI
tables, since there exists no independent source of length
information.

Ensure that these assumptions are also valid for ACPI tables read from
sysfs.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

src/include/ipxe/errfile.h

@@ -389,6 +389,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 #define ERRFILE_efi_autoexec	      ( ERRFILE_OTHER | 0x00540000 )
 #define ERRFILE_efi_cachedhcp	      ( ERRFILE_OTHER | 0x00550000 )
 #define ERRFILE_linux_sysfs	      ( ERRFILE_OTHER | 0x00560000 )
+#define ERRFILE_linux_acpi	      ( ERRFILE_OTHER | 0x00570000 )
 
 /** @} */
 

src/interface/linux/linux_acpi.c

@@ -57,6 +57,7 @@ static LIST_HEAD ( linux_acpi_tables );
  */
 static userptr_t linux_acpi_find ( uint32_t signature, unsigned int index ) {
 	struct linux_acpi_table *table;
+	struct acpi_header *header;
 	union {
 		uint32_t signature;
 		char filename[5];
@@ -100,6 +101,14 @@ static userptr_t linux_acpi_find ( uint32_t signature, unsigned int index ) {
 		       filename, strerror ( rc ) );
 		goto err_read;
 	}
+	header = user_to_virt ( table->data, 0 );
+	if ( ( ( ( size_t ) len ) < sizeof ( *header ) ) ||
+	     ( ( ( size_t ) len ) < le32_to_cpu ( header->length ) ) ) {
+		rc = -ENOENT;
+		DBGC ( &linux_acpi_tables, "ACPI underlength %s (%d bytes)\n",
+		       filename, len );
+		goto err_len;
+	}
 
 	/* Add to list of tables */
 	list_add ( &table->list, &linux_acpi_tables );
@@ -107,6 +116,7 @@ static userptr_t linux_acpi_find ( uint32_t signature, unsigned int index ) {
 
 	return table->data;
 
+ err_len:
 	ufree ( table->data );
  err_read:
 	free ( table );