Ubuntu
linux package

  1. Bug #1942215
  2. Comment #13

Comment 13 for bug 1942215

Revision history for this message
In , Colin Ian King (colin-king) wrote :

Source: source/components/dispatcher/dswexec.c
Function: AcpiDsExecEndOp

The following call can be problematic if OpType is out of range:

        if (ACPI_SUCCESS (Status))
        {
            /*
             * Dispatch the request to the appropriate interpreter handler
             * routine. There is one routine per opcode "type" based upon the
             * number of opcode arguments and return type.
             */
            Status = AcpiGbl_OpTypeDispatch[OpType] (WalkState);
        }

It has been observed that an invalid OpType in the Linux kernel has triggered a trap where and out of range OpType was caught at run time. Newer versions of gcc generate a trap on an out of range dispatch call with a ud2 opcode causing kernel oopses such as:

[ 11.507260] RIP: 0010:acpi_ds_exec_end_op+0x187/0x774
[ 11.508771] Code: 77 28 48 8b 04 c5 00 9b ea 91 48 89 df ff d0 0f 1f 00 41 89 c4 e9 8f 00 00 00 0f b6 43 0d 8d 50 ff 48 63 d2 48 83 fa 09 76 02 <0f> 0b 83 c0 6c 0f b7 7b 0a 48 89 da 48 98 48 8d 34 c3 e8 c0 3c 01
[ 11.511898] RSP: 0018:ffffaaeca1a776e0 EFLAGS: 00010286
[ 11.513428] RAX: 0000000000000000 RBX: ffff8f08a7573800 RCX: 0000000000000040
[ 11.514972] RDX: ffffffffffffffff RSI: ffffffff91ea9980 RDI: 00000000000002cb
[ 11.516100] RBP: ffffaaeca1a77710 R08: 0000000000000000 R09: ffff8f08a8c84af0
[ 11.517479] R10: 0000000000000000 R11: 0000000000000003 R12: 0000000000000000
[ 11.518985] R13: ffff8f08a8c84af0 R14: 0000000000000000 R15: 0000000000000000
[ 11.520425] FS: 00007f7fb403ed00(0000) GS:ffff8f348d5c0000(0000) knlGS:0000000000000000
[ 11.521931] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 11.523424] CR2: 00007f7fb38d1918 CR3: 0000000129b6a002 CR4: 00000000007706e0
[ 11.524924] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 11.526221] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 11.527636] PKRU: 55555554
[ 11.528820] Call Trace:
[ 11.529807] acpi_ps_parse_loop+0x587/0x660
[ 11.531198] acpi_ps_parse_aml+0x1af/0x552
[ 11.532595] acpi_ps_execute_method+0x208/0x2ca
[ 11.533972] acpi_ns_evaluate+0x34e/0x4f0
[ 11.535361] acpi_evaluate_object+0x18e/0x3b4
[ 11.536736] acpi_evaluate_dsm+0xb3/0x120
[ 11.537943] ? acpi_evaluate_dsm+0xb3/0x120
[ 11.539214] nfit_intel_shutdown_status+0xed/0x1b0 [nfit]
[ 11.540603] acpi_nfit_add_dimm+0x3cb/0x670 [nfit]
[ 11.541990] acpi_nfit_register_dimms+0x141/0x460 [nfit]
[ 11.543377] acpi_nfit_init+0x54f/0x620 [nfit]
[ 11.544755] acpi_nfit_add+0x192/0x1f0 [nfit]
[ 11.546116] acpi_device_probe+0x49/0x170

I strongly suggest sanity out-of-bounds checks on the OpType before calling the dispatcher.