From: "Rafael J. Wysocki" <rjw@rjwysocki.net>
To: Linux ACPI <linux-acpi@vger.kernel.org>
Cc: LKML <linux-kernel@vger.kernel.org>, Bob Moore <robert.moore@intel.com>
Subject: [PATCH 16/32] ACPICA: Avoid undefined behavior: member access within misaligned address
Date: Wed, 05 Apr 2023 15:44:55 +0200 [thread overview]
Message-ID: <1849135.atdPhlSkOF@kreacher> (raw)
In-Reply-To: <4845957.31r3eYUQgx@kreacher>
From: Tamir Duberstein <tamird@google.com>
ACPICA commit 7b23bdc37432f0b7fb6c3b6aa76debdcb7eb18c3
Before this change we see the following UBSAN stack trace in Fuchsia:
#0 0x00002132da6299a1 in acpi_ut_validate_resource(struct acpi_walk_state*, void*, u8*) ../../third_party/acpica/source/components/utilities/utresrc.c:426 <platform-bus-x86.so>+0x2f79a1
#1.2 0x000023e6cd58577f in ubsan_get_stack_trace() compiler-rt/lib/ubsan/ubsan_diag.cpp:41 <libclang_rt.asan.so>+0x3d77f
#1.1 0x000023e6cd58577f in maybe_print_stack_trace() compiler-rt/lib/ubsan/ubsan_diag.cpp:51 <libclang_rt.asan.so>+0x3d77f
#1 0x000023e6cd58577f in ~scoped_report() compiler-rt/lib/ubsan/ubsan_diag.cpp:387 <libclang_rt.asan.so>+0x3d77f
#2 0x000023e6cd586385 in handletype_mismatch_impl() compiler-rt/lib/ubsan/ubsan_handlers.cpp:137 <libclang_rt.asan.so>+0x3e385
#3 0x000023e6cd585ead in compiler-rt/lib/ubsan/ubsan_handlers.cpp:142 <libclang_rt.asan.so>+0x3dead
#4 0x00002132da6299a1 in acpi_ut_validate_resource(struct acpi_walk_state*, void*, u8*) ../../third_party/acpica/source/components/utilities/utresrc.c:426 <platform-bus-x86.so>+0x2f79a1
#5 0x00002132da628ffe in acpi_ut_walk_aml_resources(struct acpi_walk_state*, u8*, acpi_size, acpi_walk_aml_callback, void**) ../../third_party/acpica/source/components/utilities/utresrc.c:216 <platform-bus-x86.so>+0x2f6ffe
#6 0x00002132da5b2405 in acpi_ex_concat_template(union acpi_operand_object*, union acpi_operand_object*, union acpi_operand_object**, struct acpi_walk_state*) ../../third_party/acpica/source/components/executer/exconcat.c:414 <platform-bus-x86.so>+0x280405
#7 0x00002132da5ad5a4 in acpi_ex_opcode_2A_1T_1R(struct acpi_walk_state*) ../../third_party/acpica/source/components/executer/exoparg2.c:383 <platform-bus-x86.so>+0x27b5a4
#8 0x00002132da57ee7d in acpi_ds_exec_end_op(struct acpi_walk_state*) ../../third_party/acpica/source/components/dispatcher/dswexec.c:482 <platform-bus-x86.so>+0x24ce7d
#9 0x00002132da5ed196 in acpi_ps_parse_loop(struct acpi_walk_state*) ../../third_party/acpica/source/components/parser/psloop.c:554 <platform-bus-x86.so>+0x2bb196
#10 0x00002132da5ea458 in acpi_ps_parse_aml(struct acpi_walk_state*) ../../third_party/acpica/source/components/parser/psparse.c:525 <platform-bus-x86.so>+0x2b8458
#11 0x00002132da5f8a92 in acpi_ps_execute_method(struct acpi_evaluate_info*) ../../third_party/acpica/source/components/parser/psxface.c:244 <platform-bus-x86.so>+0x2c6a92
#12 0x00002132da55c2b2 in acpi_ns_evaluate(struct acpi_evaluate_info*) ../../third_party/acpica/source/components/namespace/nseval.c:250 <platform-bus-x86.so>+0x22a2b2
#13 0x00002132da61fd45 in acpi_ut_evaluate_object(struct acpi_namespace_node*, const char*, u32, union acpi_operand_object**) ../../third_party/acpica/source/components/utilities/uteval.c:100 <platform-bus-x86.so>+0x2edd45
#14 0x00002132da606197 in acpi_rs_get_method_data(acpi_handle, const char*, struct acpi_buffer*) ../../third_party/acpica/source/components/resources/rsutils.c:757 <platform-bus-x86.so>+0x2d4197
#15 0x00002132da60652d in acpi_walk_resources(acpi_handle, char*, acpi_walk_resource_callback, void*) ../../third_party/acpica/source/components/resources/rsxface.c:731 <platform-bus-x86.so>+0x2d452d
#16 0x00002132da41dd48 in acpi::acpi_impl::walk_resources(acpi::acpi_impl*, acpi_handle, const char*, acpi::Acpi::resources_callable) ../../src/devices/board/lib/acpi/acpi-impl.cc:41 <platform-bus-x86.so>+0xebd48
#17 0x00002132da42394d in acpi::device_builder::gather_resources(acpi::device_builder*, acpi::Acpi*, fidl::any_arena&, acpi::Manager*, acpi::device_builder::gather_resources_callback) ../../src/devices/board/lib/acpi/device-builder.cc:52 <platform-bus-x86.so>+0xf194d
#18 0x00002132da4afaf2 in acpi::Manager::configure_discovered_devices(acpi::Manager*) ../../src/devices/board/lib/acpi/manager.cc:75 <platform-bus-x86.so>+0x17daf2
#19 0x00002132da3d7b44 in publish_acpi_devices(acpi::Manager*, zx_device_t*, zx_device_t*) ../../src/devices/board/drivers/x86/acpi-nswalk.cc:102 <platform-bus-x86.so>+0xa5b44
#20 0x00002132da3e96f7 in x86::X86::do_init(x86::X86*) ../../src/devices/board/drivers/x86/x86.cc:65 <platform-bus-x86.so>+0xb76f7
#21.1 0x00002132da3f38ea in λ(x86::X86::ddk_init::(anon class)*) ../../src/devices/board/drivers/x86/x86.cc:82 <platform-bus-x86.so>+0xc18ea
#21 0x00002132da3f38ea in fit::internal::target<(lambda at../../src/devices/board/drivers/x86/x86.cc:81:19), false, false, void>::invoke(void*) ../../sdk/lib/fit/include/lib/fit/internal/function.h:181 <platform-bus-x86.so>+0xc18ea
#22.2 0x00002132da638c6c in fit::internal::function_base<16UL, false, void()>::invoke(const fit::internal::function_base<16UL, false, void ()>*) ../../sdk/lib/fit/include/lib/fit/internal/function.h:505 <platform-bus-x86.so>+0x306c6c
#22.1 0x00002132da638c6c in fit::function_impl<16UL, false, void()>::operator()(const fit::function_impl<16UL, false, void ()>*) ../../sdk/lib/fit/include/lib/fit/function.h:300 <platform-bus-x86.so>+0x306c6c
#22 0x00002132da638c6c in async::internal::retained_task::Handler(async_dispatcher_t*, async_task_t*, zx_status_t) ../../zircon/system/ulib/async/task.cc:25 <platform-bus-x86.so>+0x306c6c
#23.1 0x000022c67b305d91 in λ(const driver_runtime::Dispatcher::post_task::(anon class)*, std::__2::unique_ptr<driver_runtime::callback_request, std::__2::default_delete<driver_runtime::callback_request> >, zx_status_t) ../../src/devices/bin/driver_runtime/dispatcher.cc:715 <libdriver_runtime.so>+0x4bd91
#23 0x000022c67b305d91 in fit::internal::target<(lambda at../../src/devices/bin/driver_runtime/dispatcher.cc:714:7), true, false, void, std::__2::unique_ptr<driver_runtime::callback_request, std::__2::default_delete<driver_runtime::callback_request>>, int>::invoke(void*, std::__2::unique_ptr<driver_runtime::callback_request, std::__2::default_delete<driver_runtime::callback_request> >, int) ../../sdk/lib/fit/include/lib/fit/internal/function.h:128 <libdriver_runtime.so>+0x4bd91
#24 0x000022c67b2febc9 in fit::internal::function_base<24UL, true, void(std::__2::unique_ptr<driver_runtime::callback_request, std::__2::default_delete<driver_runtime::callback_request>>, int)>::invoke(const fit::internal::function_base<24UL, true, void (std::__2::unique_ptr<driver_runtime::callback_request, std::__2::default_delete<driver_runtime::callback_request> >, int)>*, std::__2::unique_ptr<driver_runtime::callback_request, std::__2::default_delete<driver_runtime::callback_request> >, int) ../../sdk/lib/fit/include/lib/fit/internal/function.h:505 <libdriver_runtime.so>+0x44bc9
#25 0x000022c67b2fe8dd in fit::callback_impl<24UL, true, void(std::__2::unique_ptr<driver_runtime::callback_request, std::__2::default_delete<driver_runtime::callback_request>>, int)>::operator()(fit::callback_impl<24UL, true, void (std::__2::unique_ptr<driver_runtime::callback_request, std::__2::default_delete<driver_runtime::callback_request> >, int)>*, std::__2::unique_ptr<driver_runtime::callback_request, std::__2::default_delete<driver_runtime::callback_request> >, int) ../../sdk/lib/fit/include/lib/fit/function.h:451 <libdriver_runtime.so>+0x448dd
#26 0x000022c67b2ef6a6 in driver_runtime::callback_request::Call(driver_runtime::callback_request*, std::__2::unique_ptr<driver_runtime::callback_request, std::__2::default_delete<driver_runtime::callback_request> >, zx_status_t) ../../src/devices/bin/driver_runtime/callback_request.h:67 <libdriver_runtime.so>+0x356a6
#27 0x000022c67b2f64c8 in driver_runtime::Dispatcher::dispatch_callback(driver_runtime::Dispatcher*, std::__2::unique_ptr<driver_runtime::callback_request, std::__2::default_delete<driver_runtime::callback_request> >) ../../src/devices/bin/driver_runtime/dispatcher.cc:1093 <libdriver_runtime.so>+0x3c4c8
#28 0x000022c67b2f72c1 in driver_runtime::Dispatcher::dispatch_callbacks(driver_runtime::Dispatcher*, std::__2::unique_ptr<driver_runtime::Dispatcher::event_waiter, std::__2::default_delete<driver_runtime::Dispatcher::event_waiter> >, fbl::ref_ptr<driver_runtime::Dispatcher>) ../../src/devices/bin/driver_runtime/dispatcher.cc:1169 <libdriver_runtime.so>+0x3d2c1
#29.1 0x000022c67b30281e in λ(std::__2::unique_ptr<driver_runtime::Dispatcher::event_waiter, std::__2::default_delete<driver_runtime::Dispatcher::event_waiter> >, fbl::ref_ptr<driver_runtime::Dispatcher>, const driver_runtime::Dispatcher::create_with_adder::(anon class)*) ../../src/devices/bin/driver_runtime/dispatcher.cc:338 <libdriver_runtime.so>+0x4881e
#29 0x000022c67b30281e in fit::internal::target<(lambda at../../src/devices/bin/driver_runtime/dispatcher.cc:337:7), true, false, void, std::__2::unique_ptr<driver_runtime::Dispatcher::event_waiter, std::__2::default_delete<driver_runtime::Dispatcher::event_waiter>>, fbl::ref_ptr<driver_runtime::Dispatcher>>::invoke(void*, std::__2::unique_ptr<driver_runtime::Dispatcher::event_waiter, std::__2::default_delete<driver_runtime::Dispatcher::event_waiter> >, fbl::ref_ptr<driver_runtime::Dispatcher>) ../../sdk/lib/fit/include/lib/fit/internal/function.h:128 <libdriver_runtime.so>+0x4881e
#30 0x000022c67b2fee7e in fit::internal::function_base<8UL, true, void(std::__2::unique_ptr<driver_runtime::Dispatcher::event_waiter, std::__2::default_delete<driver_runtime::Dispatcher::event_waiter>>, fbl::ref_ptr<driver_runtime::Dispatcher>)>::invoke(const fit::internal::function_base<8UL, true, void (std::__2::unique_ptr<driver_runtime::Dispatcher::event_waiter, std::__2::default_delete<driver_runtime::Dispatcher::event_waiter> >, fbl::ref_ptr<driver_runtime::Dispatcher>)>*, std::__2::unique_ptr<driver_runtime::Dispatcher::event_waiter, std::__2::default_delete<driver_runtime::Dispatcher::event_waiter> >, fbl::ref_ptr<driver_runtime::Dispatcher>) ../../sdk/lib/fit/include/lib/fit/internal/function.h:505 <libdriver_runtime.so>+0x44e7e
#31.1 0x000022c67b2f8964 in fit::function_impl<8UL, true, void(std::__2::unique_ptr<driver_runtime::Dispatcher::event_waiter, std::__2::default_delete<driver_runtime::Dispatcher::event_waiter>>, fbl::ref_ptr<driver_runtime::Dispatcher>)>::operator()(const fit::function_impl<8UL, true, void (std::__2::unique_ptr<driver_runtime::Dispatcher::event_waiter, std::__2::default_delete<driver_runtime::Dispatcher::event_waiter> >, fbl::ref_ptr<driver_runtime::Dispatcher>)>*, std::__2::unique_ptr<driver_runtime::Dispatcher::event_waiter, std::__2::default_delete<driver_runtime::Dispatcher::event_waiter> >, fbl::ref_ptr<driver_runtime::Dispatcher>) ../../sdk/lib/fit/include/lib/fit/function.h:300 <libdriver_runtime.so>+0x3e964
#31 0x000022c67b2f8964 in driver_runtime::Dispatcher::event_waiter::invoke_callback(driver_runtime::Dispatcher::event_waiter*, std::__2::unique_ptr<driver_runtime::Dispatcher::event_waiter, std::__2::default_delete<driver_runtime::Dispatcher::event_waiter> >, fbl::ref_ptr<driver_runtime::Dispatcher>) ../../src/devices/bin/driver_runtime/dispatcher.h:299 <libdriver_runtime.so>+0x3e964
#32 0x000022c67b2f835d in driver_runtime::Dispatcher::event_waiter::handle_event(std::__2::unique_ptr<driver_runtime::Dispatcher::event_waiter, std::__2::default_delete<driver_runtime::Dispatcher::event_waiter> >, async_dispatcher_t*, async::wait_base*, zx_status_t, zx_packet_signal_t const*) ../../src/devices/bin/driver_runtime/dispatcher.cc:1259 <libdriver_runtime.so>+0x3e35d
#33.1 0x000022c67b302c00 in async_loop_owned_event_handler<driver_runtime::Dispatcher::event_waiter>::handle_event(async_loop_owned_event_handler<driver_runtime::Dispatcher::event_waiter>*, zx_status_t, zx_packet_signal_t const*, async_dispatcher_t*, async::wait_base*) ../../src/devices/bin/driver_runtime/async_loop_owned_event_handler.h:59 <libdriver_runtime.so>+0x48c00
#33 0x000022c67b302c00 in async::wait_method<async_loop_owned_event_handler<driver_runtime::Dispatcher::event_waiter>, &async_loop_owned_event_handler<driver_runtime::Dispatcher::event_waiter>::handle_event>::call_handler(async_dispatcher_t*, async_wait_t*, zx_status_t, zx_packet_signal_t const*) ../../zircon/system/ulib/async/include/lib/async/cpp/wait.h:201 <libdriver_runtime.so>+0x48c00
#34.1 0x000022c67b324ead in async_loop_run_once(async_loop_t*, zx_time_t) ../../zircon/system/ulib/async-loop/loop.c:415 <libdriver_runtime.so>+0x6aead
#34 0x000022c67b324ead in async_loop_run(async_loop_t*, zx_time_t, _Bool) ../../zircon/system/ulib/async-loop/loop.c:288 <libdriver_runtime.so>+0x6aead
#35 0x000022c67b32678f in async_loop_run_thread(void*) ../../zircon/system/ulib/async-loop/loop.c:840 <libdriver_runtime.so>+0x6c78f
#36 0x0000431cc3246edc in start_c11(void*) ../../zircon/third_party/ulib/musl/pthread/pthread_create.c:55 <libc.so>+0xd7edc
#37 0x0000431cc337796d in thread_trampoline(uintptr_t, uintptr_t) ../../zircon/system/ulib/runtime/thread.cc:100 <libc.so>+0x20896d
Link: https://github.com/acpica/acpica/commit/7b23bdc3
Signed-off-by: Bob Moore <robert.moore@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
---
drivers/acpi/acpica/utresrc.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/drivers/acpi/acpica/utresrc.c b/drivers/acpi/acpica/utresrc.c
index e1cc3d348750..cff7901f7866 100644
--- a/drivers/acpi/acpica/utresrc.c
+++ b/drivers/acpi/acpica/utresrc.c
@@ -361,16 +361,20 @@ acpi_ut_validate_resource(struct acpi_walk_state *walk_state,
aml_resource = ACPI_CAST_PTR(union aml_resource, aml);
if (resource_type == ACPI_RESOURCE_NAME_SERIAL_BUS) {
+ /* Avoid undefined behavior: member access within misaligned address */
+
+ struct aml_resource_common_serialbus common_serial_bus;
+ memcpy(&common_serial_bus, aml_resource,
+ sizeof(common_serial_bus));
+
/* Validate the bus_type field */
- if ((aml_resource->common_serial_bus.type == 0) ||
- (aml_resource->common_serial_bus.type >
- AML_RESOURCE_MAX_SERIALBUSTYPE)) {
+ if ((common_serial_bus.type == 0) ||
+ (common_serial_bus.type > AML_RESOURCE_MAX_SERIALBUSTYPE)) {
if (walk_state) {
ACPI_ERROR((AE_INFO,
"Invalid/unsupported SerialBus resource descriptor: BusType 0x%2.2X",
- aml_resource->common_serial_bus.
- type));
+ common_serial_bus.type));
}
return (AE_AML_INVALID_RESOURCE_TYPE);
}
--
2.35.3
next prev parent reply other threads:[~2023-04-05 14:02 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-05 13:29 [PATCH 00/32] ACPICA: ACPICA 20230331 Rafael J. Wysocki
2023-04-05 13:32 ` [PATCH 01/32] ACPICA: Headers: Delete bogus node_array array of pointers from AEST table Rafael J. Wysocki
2023-04-05 13:33 ` [PATCH 02/32] ACPICA: ACPI 6.5: MADT: add support for trace buffer extension in GICC Rafael J. Wysocki
2023-04-05 13:34 ` [PATCH 03/32] ACPICA: Add missing macro ACPI_FUNCTION_TRACE() for acpi_ns_repair_HID() Rafael J. Wysocki
2023-04-05 13:35 ` [PATCH 04/32] ACPICA: acpisrc: Add missing tables to astable Rafael J. Wysocki
2023-04-05 13:36 ` [PATCH 05/32] ACPICA: Add support for 64 bit loong_arch compilation Rafael J. Wysocki
2023-04-05 13:36 ` [PATCH 06/32] ACPICA: Add support for ASPT table in disassembler Rafael J. Wysocki
2023-04-05 13:37 ` [PATCH 07/32] ACPICA: Add support for Arm's MPAM ACPI table version 2 Rafael J. Wysocki
2023-04-05 13:38 ` [PATCH 08/32] ACPICA: Update all copyrights/signons to 2023 Rafael J. Wysocki
2023-04-05 13:39 ` [PATCH 09/32] ACPICA: add support for ClockInput resource (v6.5) Rafael J. Wysocki
2023-04-05 13:40 ` [PATCH 10/32] ACPICA: MADT: Add RISC-V INTC interrupt controller Rafael J. Wysocki
2023-04-05 13:40 ` [PATCH 11/32] ACPICA: Add structure definitions for RISC-V RHCT Rafael J. Wysocki
2023-04-05 13:41 ` [PATCH 12/32] ACPICA: Avoid undefined behavior: load of misaligned address Rafael J. Wysocki
2023-04-05 13:42 ` [PATCH 13/32] ACPICA: Avoid undefined behavior: applying zero offset to null pointer Rafael J. Wysocki
2023-04-05 13:43 ` [PATCH 14/32] ACPICA: Avoid undefined behavior: member access within " Rafael J. Wysocki
2023-04-05 13:44 ` [PATCH 15/32] ACPICA: Avoid undefined behavior: member access within misaligned address Rafael J. Wysocki
2023-04-05 13:44 ` Rafael J. Wysocki [this message]
2023-04-05 13:45 ` [PATCH 17/32] " Rafael J. Wysocki
2023-04-05 13:46 ` [PATCH 18/32] " Rafael J. Wysocki
2023-04-05 13:47 ` [PATCH 19/32] ACPICA: Avoid undefined behavior: load of " Rafael J. Wysocki
2023-04-05 13:48 ` [PATCH 20/32] ACPICA: struct acpi_resource_vendor: Replace 1-element array with flexible array Rafael J. Wysocki
2023-04-05 13:48 ` [PATCH 21/32] ACPICA: actbl1: Replace 1-element arrays with flexible arrays Rafael J. Wysocki
2023-04-05 13:50 ` [PATCH 22/32] ACPICA: actbl2: " Rafael J. Wysocki
2023-04-05 23:11 ` Dan Williams
2023-04-06 0:22 ` Dan Williams
2023-04-06 0:37 ` Kees Cook
2023-04-06 0:43 ` Dan Williams
2023-04-06 0:36 ` Dan Williams
2023-04-06 18:32 ` Rafael J. Wysocki
2023-04-05 13:51 ` [PATCH 23/32] ACPICA: struct acpi_nfit_interleave: Replace 1-element array with flexible array Rafael J. Wysocki
2023-04-06 0:36 ` Dan Williams
2023-04-05 13:52 ` [PATCH 24/32] ACPICA: Introduce ACPI_FLEX_ARRAY Rafael J. Wysocki
2023-04-05 13:53 ` [PATCH 25/32] ACPICA: struct acpi_resource_dma: Replace 1-element array with flexible array Rafael J. Wysocki
2023-04-05 13:54 ` [PATCH 26/32] ACPICA: acpi_pci_routing_table: Replace fixed-size array with flex array member Rafael J. Wysocki
2023-04-05 13:55 ` [PATCH 27/32] ACPICA: acpi_dmar_andd: Replace 1-element array with flexible array Rafael J. Wysocki
2023-04-05 13:56 ` [PATCH 28/32] ACPICA: acpi_madt_oem_data: Fix flexible array member definition Rafael J. Wysocki
2023-04-05 13:56 ` [PATCH 29/32] ACPICA: acpi_resource_irq: Replace 1-element arrays with flexible array Rafael J. Wysocki
2023-04-05 13:57 ` [PATCH 30/32] ACPICA: ACPICA: check null return of ACPI_ALLOCATE_ZEROED in acpi_db_display_objects Rafael J. Wysocki
2023-04-05 13:59 ` [PATCH 31/32] ACPICA: add os specific support for Zephyr RTOS Rafael J. Wysocki
2023-04-05 13:59 ` [PATCH 32/32] ACPICA: Update version to 20230331 Rafael J. Wysocki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1849135.atdPhlSkOF@kreacher \
--to=rjw@rjwysocki.net \
--cc=linux-acpi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=robert.moore@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox