:: commit 32dd397b6dce100c14e9aeff7d519cd1c0250df2
smp: Validate MADT entry size before accessing type-specific fields
diff --git a/common/sys/smp.c b/common/sys/smp.c
index 2a96a7b3..5ffbdb01 100644
--- a/common/sys/smp.c
+++ b/common/sys/smp.c
@@ -159,6 +159,9 @@ struct limine_mp_info *init_smp(size_t *cpu_count,
switch (*madt_ptr) {
case 0: {
// Processor local xAPIC
+ if (*(madt_ptr + 1) < sizeof(struct madt_lapic))
+ continue;
+
struct madt_lapic *lapic = (void *)madt_ptr;
// Check if we can actually try to start the AP
@@ -172,6 +175,9 @@ struct limine_mp_info *init_smp(size_t *cpu_count,
if (!x2apic)
continue;
+ if (*(madt_ptr + 1) < sizeof(struct madt_x2apic))
+ continue;
+
struct madt_x2apic *x2lapic = (void *)madt_ptr;
// Check if we can actually try to start the AP
@@ -203,6 +209,9 @@ struct limine_mp_info *init_smp(size_t *cpu_count,
switch (*madt_ptr) {
case 0: {
// Processor local xAPIC
+ if (*(madt_ptr + 1) < sizeof(struct madt_lapic))
+ continue;
+
struct madt_lapic *lapic = (void *)madt_ptr;
// Check if we can actually try to start the AP
@@ -240,6 +249,9 @@ struct limine_mp_info *init_smp(size_t *cpu_count,
if (!x2apic)
continue;
+ if (*(madt_ptr + 1) < sizeof(struct madt_x2apic))
+ continue;
+
struct madt_x2apic *x2lapic = (void *)madt_ptr;
// Check if we can actually try to start the AP
