From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BD3B1255F27; Tue, 24 Jun 2025 04:13:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750738404; cv=none; b=T2SR9Kipf3gh5lMN/jQ2ERgI9VCZz4ZmLqEgPEL2DdbC3/QH3M+YZcOORGHowm/d0YfNQMU9GHhzWXp/YSMsogupkY3LgIVkIR967ueTRWioCIieyRpxoylmIIFC6Y86DfCQEMQm+O5soR70qMD088/v+O5PsZ3m3HzB3dY9mc4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750738404; c=relaxed/simple; bh=jJzyRc/j3ITWQGS3DL2fPaid0pwnhozUWIQv8anLWFs=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=FUHwBeF1+QoirQues4+0YoR5ocgeoM+B2jfArQqcQIj+H514zzXcS/5FSrN31c4jL2lP7iv6PTFd4vaJIUWaViIVDpHfSKTKFcIB9+9AjwggWiDFL9K864tTM6lhny4M5mCnpQN27rYa9WplhTxnHWFW7nl5S0ZK+LvhTJ/MqZs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=OBZQpx0q; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="OBZQpx0q" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3EB11C4CEF0; Tue, 24 Jun 2025 04:13:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1750738404; bh=jJzyRc/j3ITWQGS3DL2fPaid0pwnhozUWIQv8anLWFs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=OBZQpx0qqREDLpdptnKyS7tCHoWAZ4y6RIMm8nwEFp4iDkgsprgT9fFdVZyiJcKur 3nhDkHt/WBohN6s+Lfqz6yFLyEkdwlRIE6wl9jmUmKNdNbr3uYPk2abyv8hFlEthdn 0p+PSWuNY40KfE5UzRgsXFMb7mtjZtlmtilP1z9YUp08DmrlzeuRKQdAlN3iYwA6GZ yYKJvTau/WjSTHcxf37RJ82JAEOERqAe0vvbLuNLK/XndbbyupGWhHf1Pm35MFyxvs jdXJd8dCPZf5l9M4RtngopieQiYedi2f38PO4xl9vhkdujCyOvnVNkHZmXgdYEXi2R UrtN9FVCWVPvQ== From: Sasha Levin To: patches@lists.linux.dev, stable@vger.kernel.org Cc: "Rafael J. Wysocki" , Peter Williams , Hans de Goede , Sasha Levin , robert.moore@intel.com, linux-acpi@vger.kernel.org, acpica-devel@lists.linux.dev Subject: [PATCH AUTOSEL 5.10 7/8] ACPICA: Refuse to evaluate a method if arguments are missing Date: Tue, 24 Jun 2025 00:13:14 -0400 Message-Id: <20250624041316.85209-7-sashal@kernel.org> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20250624041316.85209-1-sashal@kernel.org> References: <20250624041316.85209-1-sashal@kernel.org> Precedence: bulk X-Mailing-List: linux-acpi@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore X-stable-base: Linux 5.10.238 Content-Transfer-Encoding: 8bit From: "Rafael J. Wysocki" [ Upstream commit 6fcab2791543924d438e7fa49276d0998b0a069f ] As reported in [1], a platform firmware update that increased the number of method parameters and forgot to update a least one of its callers, caused ACPICA to crash due to use-after-free. Since this a result of a clear AML issue that arguably cannot be fixed up by the interpreter (it cannot produce missing data out of thin air), address it by making ACPICA refuse to evaluate a method if the caller attempts to pass fewer arguments than expected to it. Closes: https://github.com/acpica/acpica/issues/1027 [1] Reported-by: Peter Williams Signed-off-by: Rafael J. Wysocki Reviewed-by: Hans de Goede Tested-by: Hans de Goede # Dell XPS 9640 with BIOS 1.12.0 Link: https://patch.msgid.link/5909446.DvuYhMxLoT@rjwysocki.net Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin --- **YES** This commit should be backported to stable kernel trees. Here's my extensive analysis: ## Key Reasons for Backporting: ### 1. **Critical Security Bug - Use-After-Free** The commit message explicitly states this fixes a use-after-free vulnerability that causes ACPICA to crash. Use-after-free bugs are severe security issues that can lead to: - System crashes and denial of service - Potential arbitrary code execution - Memory corruption ### 2. **Real-World Impact** The commit references an actual bug report with a specific hardware/firmware scenario: - Platform firmware update increased method parameters - Firmware forgot to update at least one caller - This caused a real crash on actual hardware (Dell XPS 9640 with BIOS 1.12.0) - The bug has been reported, tested, and verified by multiple people ### 3. **Small, Focused Fix** The code change is minimal and surgical: ```c + if (this_walk_state->num_operands < obj_desc->method.param_count) { + ACPI_ERROR((AE_INFO, "Missing argument for method [%4.4s]", + acpi_ut_get_node_name(method_node))); + + return_ACPI_STATUS(AE_AML_UNINITIALIZED_ARG); + } ``` This adds a simple bounds check before method execution, which is exactly the type of defensive programming that should be in stable kernels. ### 4. **Prevents Memory Corruption** Looking at the surrounding code (specifically line 542 in the original): ```c for (i = 0; i < obj_desc->method.param_count; i++) { acpi_ut_remove_reference(this_walk_state->operands[i]); this_walk_state->operands[i] = NULL; } ``` Without the check, if `num_operands < param_count`, this loop would access beyond the valid operands, causing use-after-free. ### 5. **Clear Error Handling** The fix properly returns `AE_AML_UNINITIALIZED_ARG`, which is an existing ACPICA error code specifically designed for this scenario ("Method tried to use an uninitialized argument"). This maintains API compatibility. ### 6. **No Architectural Changes** The commit: - Doesn't introduce new features - Doesn't change existing behavior for valid code - Only adds validation to prevent crashes from invalid AML - Is confined to the ACPICA subsystem ### 7. **Firmware Bug Mitigation** This is a defensive fix against firmware bugs, which is exactly the type of robustness stable kernels need. The kernel should not crash due to firmware mistakes. ## Comparison with Similar Commits: Unlike the similar commits shown (which were mostly about improving error messages or cosmetic changes), this commit: - Fixes an actual crash/security issue - Has been reported and tested on real hardware - Prevents memory corruption - Is not just a theoretical improvement This aligns perfectly with stable kernel rules: important bug fixes with minimal risk that improve system stability and security. drivers/acpi/acpica/dsmethod.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/acpi/acpica/dsmethod.c b/drivers/acpi/acpica/dsmethod.c index 97971c79c5f56..13c67f58e9052 100644 --- a/drivers/acpi/acpica/dsmethod.c +++ b/drivers/acpi/acpica/dsmethod.c @@ -483,6 +483,13 @@ acpi_ds_call_control_method(struct acpi_thread_state *thread, return_ACPI_STATUS(AE_NULL_OBJECT); } + if (this_walk_state->num_operands < obj_desc->method.param_count) { + ACPI_ERROR((AE_INFO, "Missing argument for method [%4.4s]", + acpi_ut_get_node_name(method_node))); + + return_ACPI_STATUS(AE_AML_UNINITIALIZED_ARG); + } + /* Init for new method, possibly wait on method mutex */ status = -- 2.39.5