FYI: ACPI buffer overflow
Hans Petter Selasky
hselasky at c2i.net
Sun Oct 17 13:54:25 UTC 2010
---------- Forwarded Message ----------
Subject: Re: MacBookPro 5,1
Date: Sunday 17 October 2010, 15:47:56
From: Hans Petter Selasky <hselasky at c2i.net>
To: freebsd-acpi at freebsd.org
CC: linux-acpi at vger.kernel.org
Hi,
CC'ing the Linux guys, hence I belive you are using the same ACPI code like in
FreeBSD.
It appears that when a string is present in the extended interrupt descriptor
(6.4.3.6, ACPIspec30.pdf), then this is not handled correctly, meaning that
the precomputed buffer space when encoding to AML, is incorrect and that data
is written beyond the destination buffer!
The error is catched on a MacBookPro 5,1 and is visible if you zero-pad all
ACPI allocations to 4096 bytes, and verify that the freed buffer is not
written beyond the allocation. Also the Extended interrupt descriptor must be
the last element encoded in the AML.
The quick patch is to disable these elements. I tried to figure out why this
happens, but this particular handling in the code looks very obfuscated to me.
src/sys/contrib/dev/acpica
%svk diff
=== resources/rsmisc.c
==================================================================
--- resources/rsmisc.c (revision 213698)
+++ resources/rsmisc.c (local)
@@ -311,6 +311,8 @@
case ACPI_RSC_SOURCEX:
+ break; /* RSC_SOURCEX is broken */
+
/*
* Optional ResourceSource (Index and String). This is the more
* complicated case used by the Interrupt() macro
@@ -537,6 +539,8 @@
case ACPI_RSC_SOURCEX:
+ break; /* RSC_SOURCEX is broken */
+
/*
* Optional ResourceSource (Index and String)
*/
Any comments are welcome!
--HPS
-----------------------------------------
More information about the freebsd-current
mailing list