:: commit 66dacaae9c44d498204a6a661a66f449cd6e434c

Mintsuki <mintsuki@protonmail.com> — 2026-01-12 22:47

parents: 94e37b0724

madt: Add entry length validation to prevent infinite loop

diff --git a/common/sys/cpu_riscv.c b/common/sys/cpu_riscv.c
index 1c8c27a1..2f12129f 100644
--- a/common/sys/cpu_riscv.c
+++ b/common/sys/cpu_riscv.c
@@ -101,6 +101,9 @@ static void init_riscv_acpi(void) {
 
     for (uint8_t *madt_ptr = (uint8_t *)madt->madt_entries_begin;
          (uintptr_t)madt_ptr + 1 < (uintptr_t)madt + madt->header.length; madt_ptr += *(madt_ptr + 1)) {
+        if (*(madt_ptr + 1) == 0) {
+            break;
+        }
         if (*madt_ptr != 0x18) {
             continue;
         }
diff --git a/common/sys/lapic.c b/common/sys/lapic.c
index 1a8d93c3..5820bdbc 100644
--- a/common/sys/lapic.c
+++ b/common/sys/lapic.c
@@ -109,6 +109,9 @@ void init_io_apics(void) {
     for (uint8_t *madt_ptr = (uint8_t *)madt->madt_entries_begin;
       (uintptr_t)madt_ptr + 1 < (uintptr_t)madt + madt->header.length;
       madt_ptr += *(madt_ptr + 1)) {
+        if (*(madt_ptr + 1) == 0) {
+            break;
+        }
         switch (*madt_ptr) {
             case 1: {
                 max_io_apics++;
@@ -123,6 +126,9 @@ void init_io_apics(void) {
     for (uint8_t *madt_ptr = (uint8_t *)madt->madt_entries_begin;
       (uintptr_t)madt_ptr + 1 < (uintptr_t)madt + madt->header.length;
       madt_ptr += *(madt_ptr + 1)) {
+        if (*(madt_ptr + 1) == 0) {
+            break;
+        }
         switch (*madt_ptr) {
             case 1: {
                 io_apics[max_io_apics++] = (void *)madt_ptr;
diff --git a/common/sys/smp.c b/common/sys/smp.c
index cb7e1c09..19050722 100644
--- a/common/sys/smp.c
+++ b/common/sys/smp.c
@@ -478,6 +478,9 @@ static struct limine_mp_info *try_acpi_smp(size_t   *cpu_count,
     for (uint8_t *madt_ptr = (uint8_t *)madt->madt_entries_begin;
       (uintptr_t)madt_ptr + 1 < (uintptr_t)madt + madt->header.length;
       madt_ptr += *(madt_ptr + 1)) {
+        if (*(madt_ptr + 1) == 0) {
+            break;
+        }
         switch (*madt_ptr) {
             case 11: {
                 // GIC CPU Interface
@@ -502,6 +505,9 @@ static struct limine_mp_info *try_acpi_smp(size_t   *cpu_count,
     for (uint8_t *madt_ptr = (uint8_t *)madt->madt_entries_begin;
       (uintptr_t)madt_ptr + 1 < (uintptr_t)madt + madt->header.length;
       madt_ptr += *(madt_ptr + 1)) {
+        if (*(madt_ptr + 1) == 0) {
+            break;
+        }
         switch (*madt_ptr) {
             case 11: {
                 // GIC CPU Interface
tab: 248 wrap: offon
iczelia
https://iczelia.net // (c) 2019 - 2026 iczelia (Kamila Szewczyk) // email: k@iczelia.net