FreeBSD Bugzilla – Attachment 196667 Details for
Bug 230993
sysutils/acpi_call: Kernel panic since CURRENT r336876 (Use SMAP on amd64)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
Fix
patch-acpi__call.c (text/plain), 1.90 KB, created by
Theron Tarigo
on 2018-08-29 06:00:30 UTC
(
hide
)
Description:
Fix
Filename:
MIME Type:
Creator:
Theron Tarigo
Created:
2018-08-29 06:00:30 UTC
Size:
1.90 KB
patch
obsolete
>--- acpi_call.c.orig 2011-11-07 05:35:10 UTC >+++ acpi_call.c >@@ -43,7 +43,7 @@ > #include "acpi_call_io.h" > > >-void acpi_call_fixup_pointers(ACPI_OBJECT *p, UINT8 *orig); >+void acpi_call_fixup_pointers(ACPI_OBJECT *p, UINT8 *user, size_t len); > > static int > acpi_call_ioctl(u_long cmd, caddr_t addr, void *arg) >@@ -63,12 +63,15 @@ acpi_call_ioctl(u_long cmd, caddr_t addr, void *arg) > { > if (params->result.Pointer != NULL) > { >+ if (params->result.Length < sizeof(ACPI_OBJECT)) { >+ AcpiOsFree(result.Pointer); >+ return (EINVAL); >+ } > params->result.Length = min(params->result.Length, result.Length); >+ acpi_call_fixup_pointers((ACPI_OBJECT*)(result.Pointer), params->result.Pointer, result.Length); > copyout(result.Pointer, params->result.Pointer, > params->result.Length); > params->reslen = result.Length; >- if (result.Length >= sizeof(ACPI_OBJECT)) >- acpi_call_fixup_pointers((ACPI_OBJECT*)(params->result.Pointer), result.Pointer); > } > AcpiOsFree(result.Pointer); > } >@@ -79,16 +82,24 @@ acpi_call_ioctl(u_long cmd, caddr_t addr, void *arg) > } > > void >-acpi_call_fixup_pointers(ACPI_OBJECT *p, UINT8 *orig) >+acpi_call_fixup_pointers(ACPI_OBJECT *p, UINT8 *user, size_t len) > { > switch (p->Type) > { > case ACPI_TYPE_STRING: >- p->String.Pointer = (char*)((UINT8*)(p->String.Pointer) - orig + (UINT8*)p); >- break; >+ if ((char *)(p->String.Pointer + p->String.Length/sizeof(*p->String.Pointer)) <= (char *)p + len) { >+ p->String.Pointer = user + ( (char *)p->String.Pointer - (char *)p ); >+ return; >+ } >+ p->String.Pointer = NULL; >+ return; > case ACPI_TYPE_BUFFER: >- p->Buffer.Pointer -= orig - (UINT8*)p; >- break; >+ if ((char *)(p->Buffer.Pointer + p->Buffer.Length/sizeof(*p->Buffer.Pointer)) <= (char *)p + len) { >+ p->Buffer.Pointer = user + ( (char *)p->Buffer.Pointer - (char *)p ); >+ return; >+ } >+ p->Buffer.Pointer = NULL; >+ return; > } > } >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=196667">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 230993
:
196667
|
197075
|
197077