From abe2aacc6845fd5ce80896a50e770d4116e9f80c Mon Sep 17 00:00:00 2001 From: patrick Date: Wed, 10 Mar 2021 21:49:55 +0000 Subject: [PATCH] Our ACPI namerefs are pointers to the byte structures for ACPI names. These are not in a printable format, hence printing them as string is wrong. Additionally, aml_searchrel()/aml_searchname() expect the name to be passed in a printable format as well. Passing a nameref can lead to an out-of-bounds read, and the comparison can fail. Hence make sure that namerefs are passed to aml_getname() first, which returns printable strings. Note that aml_getname() uses a static buffer, so there are a few restrictions how the string can be used. ok kettenis@ --- sys/dev/acpi/acpiprt.c | 5 +++-- sys/dev/acpi/acpipwrres.c | 5 +++-- sys/dev/acpi/acpitz.c | 4 ++-- sys/dev/acpi/atk0110.c | 8 ++++---- sys/dev/acpi/dsdt.c | 10 ++++++---- sys/dev/acpi/dsdt.h | 3 ++- 6 files changed, 20 insertions(+), 15 deletions(-) diff --git a/sys/dev/acpi/acpiprt.c b/sys/dev/acpi/acpiprt.c index ea28993d051..bd62006301a 100644 --- a/sys/dev/acpi/acpiprt.c +++ b/sys/dev/acpi/acpiprt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: acpiprt.c,v 1.50 2020/12/17 17:57:19 kettenis Exp $ */ +/* $OpenBSD: acpiprt.c,v 1.51 2021/03/10 21:49:55 patrick Exp $ */ /* * Copyright (c) 2006 Mark Kettenis * @@ -273,7 +273,8 @@ acpiprt_prt_add(struct acpiprt_softc *sc, struct aml_value *v) pp = v->v_package[2]; if (pp->type == AML_OBJTYPE_NAMEREF) { - node = aml_searchrel(sc->sc_devnode, pp->v_nameref); + node = aml_searchrel(sc->sc_devnode, + aml_getname(pp->v_nameref)); if (node == NULL) { printf("Invalid device\n"); return; diff --git a/sys/dev/acpi/acpipwrres.c b/sys/dev/acpi/acpipwrres.c index 4de7da1e871..6ffe53870c8 100644 --- a/sys/dev/acpi/acpipwrres.c +++ b/sys/dev/acpi/acpipwrres.c @@ -1,4 +1,4 @@ -/* $OpenBSD: acpipwrres.c,v 1.9 2020/12/17 17:57:19 kettenis Exp $ */ +/* $OpenBSD: acpipwrres.c,v 1.10 2021/03/10 21:49:55 patrick Exp $ */ /* * Copyright (c) 2013 Martin Pieuchot @@ -294,7 +294,8 @@ acpipwrres_foundcons(struct aml_node *node, void *arg) if (ref->type == AML_OBJTYPE_NAMEREF) { struct aml_node *pnode; - pnode = aml_searchrel(&aml_root, ref->v_nameref); + pnode = aml_searchrel(&aml_root, + aml_getname(ref->v_nameref)); if (pnode == NULL) { DPRINTF(("%s: device %s not found\n", DEVNAME(sc), ref->v_string)); diff --git a/sys/dev/acpi/acpitz.c b/sys/dev/acpi/acpitz.c index f364ac89006..af27555c9ad 100644 --- a/sys/dev/acpi/acpitz.c +++ b/sys/dev/acpi/acpitz.c @@ -1,4 +1,4 @@ -/* $OpenBSD: acpitz.c,v 1.55 2020/12/17 17:57:19 kettenis Exp $ */ +/* $OpenBSD: acpitz.c,v 1.56 2021/03/10 21:49:55 patrick Exp $ */ /* * Copyright (c) 2006 Can Erkin Acar * Copyright (c) 2005 Marco Peereboom @@ -306,7 +306,7 @@ acpitz_setfan(struct acpitz_softc *sc, int i, char *method) ref = res1.v_package[y]; if (ref->type == AML_OBJTYPE_NAMEREF) { node = aml_searchrel(sc->sc_devnode, - ref->v_nameref); + aml_getname(ref->v_nameref)); if (node == NULL) { printf("%s: %s[%d.%d] _PR0" " not a valid device\n", diff --git a/sys/dev/acpi/atk0110.c b/sys/dev/acpi/atk0110.c index 503d1e4a813..e9992b71449 100644 --- a/sys/dev/acpi/atk0110.c +++ b/sys/dev/acpi/atk0110.c @@ -1,4 +1,4 @@ -/* $OpenBSD: atk0110.c,v 1.16 2020/12/17 17:57:19 kettenis Exp $ */ +/* $OpenBSD: atk0110.c,v 1.17 2021/03/10 21:49:55 patrick Exp $ */ /* * Copyright (c) 2009 Constantine A. Murenin @@ -104,7 +104,7 @@ void aibs_refresh(void *); void aibs_attach_sif(struct aibs_softc *, enum sensor_type); void aibs_attach_new(struct aibs_softc *); -void aibs_add_sensor(struct aibs_softc *, char *); +void aibs_add_sensor(struct aibs_softc *, const char *); void aibs_refresh_r(struct aibs_softc *, struct aibs_sensor *); int aibs_getvalue(struct aibs_softc *, int64_t, int64_t *); int aibs_getpack(struct aibs_softc *, struct aml_node *, int64_t, @@ -235,7 +235,7 @@ aibs_attach_sif(struct aibs_softc *sc, enum sensor_type st) DEVNAME(sc), name, i, v[0]->type); continue; } - aibs_add_sensor(sc, v[0]->v_nameref); + aibs_add_sensor(sc, aml_getname(v[0]->v_nameref)); } aml_freevalue(&res); @@ -266,7 +266,7 @@ aibs_attach_new(struct aibs_softc *sc) } void -aibs_add_sensor(struct aibs_softc *sc, char *name) +aibs_add_sensor(struct aibs_softc *sc, const char *name) { struct aml_value ri; struct aibs_sensor *as; diff --git a/sys/dev/acpi/dsdt.c b/sys/dev/acpi/dsdt.c index 0cbeeb43d08..ac0e4323653 100644 --- a/sys/dev/acpi/dsdt.c +++ b/sys/dev/acpi/dsdt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dsdt.c,v 1.258 2021/03/07 22:53:46 yasuoka Exp $ */ +/* $OpenBSD: dsdt.c,v 1.259 2021/03/10 21:49:55 patrick Exp $ */ /* * Copyright (c) 2005 Jordan Hargrave * @@ -1689,7 +1689,7 @@ int aml_fixup_node(struct aml_node *node, void *arg) if (arg == NULL) aml_fixup_node(node, node->value); else if (val->type == AML_OBJTYPE_NAMEREF) { - node = aml_searchname(node, val->v_nameref); + node = aml_searchname(node, aml_getname(val->v_nameref)); if (node && node->value) { _aml_setvalue(val, AML_OBJTYPE_OBJREF, AMLOP_NAMECHAR, node->value); @@ -3005,9 +3005,11 @@ aml_store(struct aml_scope *scope, struct aml_value *lhs , int64_t ival, aml_copyvalue(lhs, rhs); break; case AML_OBJTYPE_NAMEREF: - node = __aml_searchname(scope->node, lhs->v_nameref, 1); + node = __aml_searchname(scope->node, + aml_getname(lhs->v_nameref), 1); if (node == NULL) { - aml_die("Could not create node %s", lhs->v_nameref); + aml_die("Could not create node %s", + aml_getname(lhs->v_nameref)); } aml_copyvalue(node->value, rhs); break; diff --git a/sys/dev/acpi/dsdt.h b/sys/dev/acpi/dsdt.h index b07312da3e3..c2f91d22b63 100644 --- a/sys/dev/acpi/dsdt.h +++ b/sys/dev/acpi/dsdt.h @@ -1,4 +1,4 @@ -/* $OpenBSD: dsdt.h,v 1.78 2020/09/16 11:52:17 jsg Exp $ */ +/* $OpenBSD: dsdt.h,v 1.79 2021/03/10 21:49:55 patrick Exp $ */ /* * Copyright (c) 2005 Marco Peereboom * @@ -44,6 +44,7 @@ const char *aml_mnem(int, uint8_t *); int64_t aml_val2int(struct aml_value *); struct aml_node *aml_searchname(struct aml_node *, const void *); struct aml_node *aml_searchrel(struct aml_node *, const void *); +const char *aml_getname(const char *); struct aml_value *aml_getstack(struct aml_scope *, int); struct aml_value *aml_allocvalue(int, int64_t, const void *); -- 2.20.1