s390/ipl: add missing intersection check to ipl_report handling

The code which handles the ipl report is searching for a free location
in memory where it could copy the component and certificate entries to.
It checks for intersection between the sections required for the kernel
and the component/certificate data area, but fails to check whether
the data structures linking these data areas together intersect.

This might cause the iplreport copy code to overwrite the iplreport
itself. Fix this by adding two addtional intersection checks.

Cc: <stable@vger.kernel.org>
Fixes: 9641b8cc733f ("s390/ipl: read IPL report at early boot")
Signed-off-by: Sven Schnelle <svens@linux.ibm.com>
Reviewed-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>

diff --git a/arch/s390/boot/ipl_report.c b/arch/s390/boot/ipl_report.c
index 9b14045065b6e1e4bfbfcfa6c714a1d5d1e08a6e..74b5cd264862247fc040cabfe24c6a289d3d08a3 100644 (file)
--- a/arch/s390/boot/ipl_report.c
+++ b/arch/s390/boot/ipl_report.c
@@ -57,11 +57,19 @@ repeat:
        if (IS_ENABLED(CONFIG_BLK_DEV_INITRD) && initrd_data.start && initrd_data.size &&
            intersects(initrd_data.start, initrd_data.size, safe_addr, size))
                safe_addr = initrd_data.start + initrd_data.size;
+       if (intersects(safe_addr, size, (unsigned long)comps, comps->len)) {
+               safe_addr = (unsigned long)comps + comps->len;
+               goto repeat;
+       }
        for_each_rb_entry(comp, comps)
                if (intersects(safe_addr, size, comp->addr, comp->len)) {
                        safe_addr = comp->addr + comp->len;
                        goto repeat;
                }
+       if (intersects(safe_addr, size, (unsigned long)certs, certs->len)) {
+               safe_addr = (unsigned long)certs + certs->len;
+               goto repeat;
+       }
        for_each_rb_entry(cert, certs)
                if (intersects(safe_addr, size, cert->addr, cert->len)) {
                        safe_addr = cert->addr + cert->len;