[fix] Stack smasher in ACPI.

Magnus B{ckstr|m b at etek.chalmers.se
Wed Apr 16 07:39:06 PDT 2003 

I'm attempting to make -CURRENT work on a compaq evo N800c, and am hitting
some issues.

(1) The Intel ACPICA contains a potential memory-corruption bug.

(2): The N800c AML uses idioms defined in ACPI 2.0 which the FreeBSD
implementation isn't aware of, and which interacts with (1) so as
to corrupt the stack and cause a panic.  Specifically, some objects
report their _CID in the form of a Package with multiple Integers in
it (ACPI 2.0 specification p.154 section 6.1.2).

(3): Compaq has defined _HIDs *with* leading asterisks in direct
violation of ACPI 2.0 p.156 section 6.1.4.  Growl.

The attached patch is a suggestion for a fix of (1) and the part
of (2) that interacts with (1).

I'm working on the rest of (2) and a workaround for (3).

-- B
-------------- next part --------------
Index: src/sys/contrib/dev/acpica/utalloc.c
diff -u src/sys/contrib/dev/acpica/utalloc.c:1.1.1.1 src/sys/contrib/dev/acpica/utalloc.c:1.1.1.1.4.1
--- src/sys/contrib/dev/acpica/utalloc.c:1.1.1.1	Tue Jul  9 19:51:30 2002
+++ src/sys/contrib/dev/acpica/utalloc.c	Wed Apr 16 16:06:20 2003
@@ -386,6 +386,7 @@
         /* Clear the buffer */
 
         ACPI_MEMSET (Buffer->Pointer, 0, RequiredLength);
+        Buffer->Length = RequiredLength;
         break;
 
 
@@ -402,6 +403,7 @@
         /* Clear the buffer */
 
         ACPI_MEMSET (Buffer->Pointer, 0, RequiredLength);
+        Buffer->Length = RequiredLength;
         break;
 
 
@@ -412,6 +414,7 @@
         if (Buffer->Length < RequiredLength)
         {
             Status = AE_BUFFER_OVERFLOW;
+            break;
         }
 
         /* Clear the buffer */
@@ -420,7 +423,6 @@
         break;
     }
 
-    Buffer->Length = RequiredLength;
     return (Status);
 }
 
Index: src/sys/dev/acpica/acpi.c
diff -u src/sys/dev/acpica/acpi.c:1.1.1.6 src/sys/dev/acpica/acpi.c:1.1.1.6.2.1
--- src/sys/dev/acpica/acpi.c:1.1.1.6	Fri Mar  7 15:40:59 2003
+++ src/sys/dev/acpica/acpi.c	Wed Apr 16 16:06:20 2003
@@ -1129,14 +1129,15 @@
      * This is a hack.
      */
     if (error == AE_BUFFER_OVERFLOW) {
-	if ((buf.Pointer = AcpiOsAllocate(buf.Length)) == NULL) {
-	    error = AE_NO_MEMORY;
-	} else {
-	    if (ACPI_SUCCESS(error = AcpiEvaluateObject(handle, path, NULL, &buf))) {
+	buf.Pointer = NULL;
+	buf.Length = ACPI_ALLOCATE_BUFFER;
+
+	if (ACPI_SUCCESS(error = AcpiEvaluateObject(handle, path, NULL, &buf))) {
 		error = acpi_ConvertBufferToInteger(&buf, number);
-	    }
 	}
-	AcpiOsFree(buf.Pointer);
+
+	if (buf.Pointer)
+	    AcpiOsFree(buf.Pointer);
     }
     return(error);
 }

More information about the freebsd-current mailing list