The following call can be problematic if OpType is out of range:
if (ACPI_SUCCESS (Status))
{
/*
* Dispatch the request to the appropriate interpreter handler
* routine. There is one routine per opcode "type" based upon the
* number of opcode arguments and return type.
*/
Status = AcpiGbl_OpTypeDispatch[OpType] (WalkState);
}
It has been observed that an invalid OpType in the Linux kernel has triggered a trap where and out of range OpType was caught at run time. Newer versions of gcc generate a trap on an out of range dispatch call with a ud2 opcode causing kernel oopses such as:
Source: source/ components/ dispatcher/ dswexec. c
Function: AcpiDsExecEndOp
The following call can be problematic if OpType is out of range:
if (ACPI_SUCCESS (Status)) OpTypeDispatch[ OpType] (WalkState);
{
/*
* Dispatch the request to the appropriate interpreter handler
* routine. There is one routine per opcode "type" based upon the
* number of opcode arguments and return type.
*/
Status = AcpiGbl_
}
It has been observed that an invalid OpType in the Linux kernel has triggered a trap where and out of range OpType was caught at run time. Newer versions of gcc generate a trap on an out of range dispatch call with a ud2 opcode causing kernel oopses such as:
[ 11.507260] RIP: 0010:acpi_ ds_exec_ end_op+ 0x187/0x774 a776e0 EFLAGS: 00010286 0(0000) GS:ffff8f348d5c 0000(0000) knlGS:000000000 0000000 parse_loop+ 0x587/0x660 parse_aml+ 0x1af/0x552 execute_ method+ 0x208/0x2ca evaluate+ 0x34e/0x4f0 object+ 0x18e/0x3b4 dsm+0xb3/ 0x120 dsm+0xb3/ 0x120 shutdown_ status+ 0xed/0x1b0 [nfit] add_dimm+ 0x3cb/0x670 [nfit] register_ dimms+0x141/ 0x460 [nfit] init+0x54f/ 0x620 [nfit] add+0x192/ 0x1f0 [nfit] probe+0x49/ 0x170
[ 11.508771] Code: 77 28 48 8b 04 c5 00 9b ea 91 48 89 df ff d0 0f 1f 00 41 89 c4 e9 8f 00 00 00 0f b6 43 0d 8d 50 ff 48 63 d2 48 83 fa 09 76 02 <0f> 0b 83 c0 6c 0f b7 7b 0a 48 89 da 48 98 48 8d 34 c3 e8 c0 3c 01
[ 11.511898] RSP: 0018:ffffaaeca1
[ 11.513428] RAX: 0000000000000000 RBX: ffff8f08a7573800 RCX: 0000000000000040
[ 11.514972] RDX: ffffffffffffffff RSI: ffffffff91ea9980 RDI: 00000000000002cb
[ 11.516100] RBP: ffffaaeca1a77710 R08: 0000000000000000 R09: ffff8f08a8c84af0
[ 11.517479] R10: 0000000000000000 R11: 0000000000000003 R12: 0000000000000000
[ 11.518985] R13: ffff8f08a8c84af0 R14: 0000000000000000 R15: 0000000000000000
[ 11.520425] FS: 00007f7fb403ed0
[ 11.521931] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 11.523424] CR2: 00007f7fb38d1918 CR3: 0000000129b6a002 CR4: 00000000007706e0
[ 11.524924] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 11.526221] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 11.527636] PKRU: 55555554
[ 11.528820] Call Trace:
[ 11.529807] acpi_ps_
[ 11.531198] acpi_ps_
[ 11.532595] acpi_ps_
[ 11.533972] acpi_ns_
[ 11.535361] acpi_evaluate_
[ 11.536736] acpi_evaluate_
[ 11.537943] ? acpi_evaluate_
[ 11.539214] nfit_intel_
[ 11.540603] acpi_nfit_
[ 11.541990] acpi_nfit_
[ 11.543377] acpi_nfit_
[ 11.544755] acpi_nfit_
[ 11.546116] acpi_device_
I strongly suggest sanity out-of-bounds checks on the OpType before calling the dispatcher.