Attachment #197075 for bug #230993

View | Details | Raw Unified | Return to bug 230993
Collapse All | Expand All

Lines 3-8 Link Here

(-)sysutils/acpi_call/Makefile (+1 lines)
3		3
4	PORTNAME= acpi_call	4	PORTNAME= acpi_call
5	PORTVERSION= 1.0.1	5	PORTVERSION= 1.0.1
		6	PORTREVISION= 1
6	CATEGORIES= sysutils	7	CATEGORIES= sysutils
7	MASTER_SITES= http://projects.ukrweb.net/files/ \	8	MASTER_SITES= http://projects.ukrweb.net/files/ \
8	http://imax.in.ua/files/	9	http://imax.in.ua/files/




--- acpi_call.c.orig	2011-11-07 05:35:10 UTC
+++ acpi_call.c
@@ -43,12 +43,13 @@
 #include "acpi_call_io.h"
 
 
-void acpi_call_fixup_pointers(ACPI_OBJECT *p, UINT8 *orig);
+void acpi_call_fixup_pointers(ACPI_OBJECT *p, UINT8 *user, size_t len);
 
 static int
 acpi_call_ioctl(u_long cmd, caddr_t addr, void *arg)
 {
 	struct acpi_call_descr *params;
+	char		path[MAX_ACPI_PATH + 1];
 	ACPI_BUFFER	result;
 
 	result.Length = ACPI_ALLOCATE_BUFFER;
@@ -56,19 +57,24 @@ acpi_call_ioctl(u_long cmd, caddr_t addr, void *arg)
 
 	if (cmd == ACPIIO_CALL) {
 		params = (struct acpi_call_descr*)addr;
-		params->retval = AcpiEvaluateObject(NULL, params->path, &params->args, &result);
+		copyin(params->path, path, params->path_len);
+		path[params->path_len] = '\0';
+		params->retval = AcpiEvaluateObject(NULL, path, &params->args, &result);
 		if (ACPI_SUCCESS(params->retval))
 		{
 			if (result.Pointer != NULL)
 			{
 				if (params->result.Pointer != NULL)
 				{	
+					if (params->result.Length < sizeof(ACPI_OBJECT)) {
+						AcpiOsFree(result.Pointer);
+						return (EINVAL);
+					}
 					params->result.Length = min(params->result.Length, result.Length);
+					acpi_call_fixup_pointers((ACPI_OBJECT*)(result.Pointer), params->result.Pointer, result.Length);
 					copyout(result.Pointer, params->result.Pointer,
 							params->result.Length);
 					params->reslen = result.Length;
-					if (result.Length >= sizeof(ACPI_OBJECT))
-						acpi_call_fixup_pointers((ACPI_OBJECT*)(params->result.Pointer), result.Pointer);
 				}
 				AcpiOsFree(result.Pointer);
 			}
@@ -79,16 +85,24 @@ acpi_call_ioctl(u_long cmd, caddr_t addr, void *arg)
 }
 
 void
-acpi_call_fixup_pointers(ACPI_OBJECT *p, UINT8 *orig)
+acpi_call_fixup_pointers(ACPI_OBJECT *p, UINT8 *user, size_t len)
 {
 	switch (p->Type)
 	{
 	case ACPI_TYPE_STRING:
-		p->String.Pointer = (char*)((UINT8*)(p->String.Pointer) - orig + (UINT8*)p);
-		break;
+		if ((char *)(p->String.Pointer + p->String.Length/sizeof(*p->String.Pointer)) <= (char *)p + len) {
+			p->String.Pointer = user + ( (char *)p->String.Pointer - (char *)p );
+			return;
+		}
+		p->String.Pointer = NULL;
+		return;
 	case ACPI_TYPE_BUFFER:
-		p->Buffer.Pointer -= orig - (UINT8*)p;
-		break;
+		if ((char *)(p->Buffer.Pointer + p->Buffer.Length/sizeof(*p->Buffer.Pointer)) <= (char *)p + len) {
+			p->Buffer.Pointer = user + ( (char *)p->Buffer.Pointer - (char *)p );
+			return;
+		}
+		p->Buffer.Pointer = NULL;
+		return;
 	}
 }
 




--- acpi_call_io.h.orig	2018-09-13 19:07:48 UTC
+++ acpi_call_io.h
@@ -38,9 +38,12 @@
 #	include <contrib/dev/acpica/actypes.h>
 #endif
 
+#define	MAX_ACPI_PATH	1024 // XXX
+
 struct acpi_call_descr
 {
 	char		*path;
+	size_t		 path_len;
 	ACPI_OBJECT_LIST	args;
 	ACPI_STATUS	retval;
 	ACPI_BUFFER	result;




--- acpi_call_util.c.orig	2011-11-07 05:35:10 UTC
+++ acpi_call_util.c
@@ -42,7 +42,6 @@
 #include <stdio.h>
 #include <string.h>
 
-#define	MAX_ACPI_PATH	1024 // XXX
 #define MAX_ACPI_ARGS	7
 
 char dev_path[MAXPATHLEN] = "/dev/acpi";
@@ -89,6 +88,7 @@ int main(int argc, char * argv[])
 		fprintf(stderr, "Please specify path to method with -p flag\n");
 		return 1;
 	}
+	params.path_len = strnlen(method_path, MAX_ACPI_PATH);
 
 	if (verbose)
 		print_params(&params);
@@ -102,6 +102,7 @@ int main(int argc, char * argv[])
 	if (ioctl(fd, ACPIIO_CALL, &params) == -1)
 	{

Return to bug 230993

Line 0 Link Here

(-)sysutils/acpi_call/files/patch-acpi__call.c (+75 lines)
		1	--- acpi_call.c.orig 2011-11-07 05:35:10 UTC
		2	+++ acpi_call.c
		3	@@ -43,12 +43,13 @@
		4	#include "acpi_call_io.h"
		5
		6
		7	-void acpi_call_fixup_pointers(ACPI_OBJECT p, UINT8 orig);
		8	+void acpi_call_fixup_pointers(ACPI_OBJECT p, UINT8 user, size_t len);
		9
		10	static int
		11	acpi_call_ioctl(u_long cmd, caddr_t addr, void *arg)
		12	{
		13	struct acpi_call_descr *params;
		14	+ char path[MAX_ACPI_PATH + 1];
		15	ACPI_BUFFER result;
		16
		17	result.Length = ACPI_ALLOCATE_BUFFER;
		18	@@ -56,19 +57,24 @@ acpi_call_ioctl(u_long cmd, caddr_t addr, void *arg)
		19
		20	if (cmd == ACPIIO_CALL) {
		21	params = (struct acpi_call_descr*)addr;
		22	- params->retval = AcpiEvaluateObject(NULL, params->path, &params->args, &result);
		23	+ copyin(params->path, path, params->path_len);
		24	+ path[params->path_len] = '\0';
		25	+ params->retval = AcpiEvaluateObject(NULL, path, &params->args, &result);
		26	if (ACPI_SUCCESS(params->retval))
		27	{
		28	if (result.Pointer != NULL)
		29	{
		30	if (params->result.Pointer != NULL)
		31	{
		32	+ if (params->result.Length < sizeof(ACPI_OBJECT)) {
		33	+ AcpiOsFree(result.Pointer);
		34	+ return (EINVAL);
		35	+ }
		36	params->result.Length = min(params->result.Length, result.Length);
		37	+ acpi_call_fixup_pointers((ACPI_OBJECT*)(result.Pointer), params->result.Pointer, result.Length);
		38	copyout(result.Pointer, params->result.Pointer,
		39	params->result.Length);
		40	params->reslen = result.Length;
		41	- if (result.Length >= sizeof(ACPI_OBJECT))
		42	- acpi_call_fixup_pointers((ACPI_OBJECT*)(params->result.Pointer), result.Pointer);
		43	}
		44	AcpiOsFree(result.Pointer);
		45	}
		46	@@ -79,16 +85,24 @@ acpi_call_ioctl(u_long cmd, caddr_t addr, void *arg)
		47	}
		48
		49	void
		50	-acpi_call_fixup_pointers(ACPI_OBJECT p, UINT8 orig)
		51	+acpi_call_fixup_pointers(ACPI_OBJECT p, UINT8 user, size_t len)
		52	{
		53	switch (p->Type)
		54	{
		55	case ACPI_TYPE_STRING:
		56	- p->String.Pointer = (char)((UINT8)(p->String.Pointer) - orig + (UINT8*)p);
		57	- break;
		58	+ if ((char )(p->String.Pointer + p->String.Length/sizeof(p->String.Pointer)) <= (char *)p + len) {
		59	+ p->String.Pointer = user + ( (char )p->String.Pointer - (char )p );
		60	+ return;
		61	+ }
		62	+ p->String.Pointer = NULL;
		63	+ return;
		64	case ACPI_TYPE_BUFFER:
65	- p->Buffer.Pointer -= orig - (UINT8*)p;
66	- break;
67	+ if ((char )(p->Buffer.Pointer + p->Buffer.Length/sizeof(p->Buffer.Pointer)) <= (char *)p + len) {
68	+ p->Buffer.Pointer = user + ( (char )p->Buffer.Pointer - (char )p );
69	+ return;
70	+ }
71	+ p->Buffer.Pointer = NULL;
72	+ return;
73	}
74	}
75

Line 0 Link Here

(-)sysutils/acpi_call/files/patch-acpi__call__io.h (+15 lines)
	1	--- acpi_call_io.h.orig 2018-09-13 19:07:48 UTC
	2	+++ acpi_call_io.h
	3	@@ -38,9 +38,12 @@
	4	# include <contrib/dev/acpica/actypes.h>
	5	#endif
	6
	7	+#define MAX_ACPI_PATH 1024 // XXX
	8	+
	9	struct acpi_call_descr
	10	{
	11	char *path;
	12	+ size_t path_len;
	13	ACPI_OBJECT_LIST args;
	14	ACPI_STATUS retval;
	15	ACPI_BUFFER result;

Lines 1-5 Link Here

(-)sysutils/acpi_call/files/patch-acpi__call__util.c (+16 lines)
1	--- acpi_call_util.c.orig 2011-11-07 05:35:10 UTC	1	--- acpi_call_util.c.orig 2011-11-07 05:35:10 UTC
2	+++ acpi_call_util.c	2	+++ acpi_call_util.c
		3	@@ -42,7 +42,6 @@
		4	#include <stdio.h>
		5	#include <string.h>
		6
		7	-#define MAX_ACPI_PATH 1024 // XXX
		8	#define MAX_ACPI_ARGS 7
		9
		10	char dev_path[MAXPATHLEN] = "/dev/acpi";
		11	@@ -89,6 +88,7 @@ int main(int argc, char * argv[])
		12	fprintf(stderr, "Please specify path to method with -p flag\n");
		13	return 1;
		14	}
		15	+ params.path_len = strnlen(method_path, MAX_ACPI_PATH);
		16
		17	if (verbose)
		18	print_params(&params);
3	@@ -102,6 +102,7 @@ int main(int argc, char * argv[])	19	@@ -102,6 +102,7 @@ int main(int argc, char * argv[])
4	if (ioctl(fd, ACPIIO_CALL, &params) == -1)	20	if (ioctl(fd, ACPIIO_CALL, &params) == -1)
5	{	21	{