FreeBSD Bugzilla – Attachment 197075 Details for
Bug 230993
sysutils/acpi_call: Kernel panic since CURRENT r336876 (Use SMAP on amd64)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch to fix accesses to userland pointers in kernel module
acpi_call_port.patch (text/plain), 5.26 KB, created by
Jean-Sébastien Pédron
on 2018-09-13 20:25:35 UTC
(
hide
)
Description:
Patch to fix accesses to userland pointers in kernel module
Filename:
MIME Type:
Creator:
Jean-Sébastien Pédron
Created:
2018-09-13 20:25:35 UTC
Size:
5.26 KB
patch
obsolete
>Index: sysutils/acpi_call/Makefile >=================================================================== >--- sysutils/acpi_call/Makefile (revision 479666) >+++ sysutils/acpi_call/Makefile (working copy) >@@ -3,6 +3,7 @@ > > PORTNAME= acpi_call > PORTVERSION= 1.0.1 >+PORTREVISION= 1 > CATEGORIES= sysutils > MASTER_SITES= http://projects.ukrweb.net/files/ \ > http://imax.in.ua/files/ >Index: sysutils/acpi_call/files/patch-acpi__call.c >=================================================================== >--- sysutils/acpi_call/files/patch-acpi__call.c (nonexistent) >+++ sysutils/acpi_call/files/patch-acpi__call.c (working copy) >@@ -0,0 +1,75 @@ >+--- acpi_call.c.orig 2011-11-07 05:35:10 UTC >++++ acpi_call.c >+@@ -43,12 +43,13 @@ >+ #include "acpi_call_io.h" >+ >+ >+-void acpi_call_fixup_pointers(ACPI_OBJECT *p, UINT8 *orig); >++void acpi_call_fixup_pointers(ACPI_OBJECT *p, UINT8 *user, size_t len); >+ >+ static int >+ acpi_call_ioctl(u_long cmd, caddr_t addr, void *arg) >+ { >+ struct acpi_call_descr *params; >++ char path[MAX_ACPI_PATH + 1]; >+ ACPI_BUFFER result; >+ >+ result.Length = ACPI_ALLOCATE_BUFFER; >+@@ -56,19 +57,24 @@ acpi_call_ioctl(u_long cmd, caddr_t addr, void *arg) >+ >+ if (cmd == ACPIIO_CALL) { >+ params = (struct acpi_call_descr*)addr; >+- params->retval = AcpiEvaluateObject(NULL, params->path, ¶ms->args, &result); >++ copyin(params->path, path, params->path_len); >++ path[params->path_len] = '\0'; >++ params->retval = AcpiEvaluateObject(NULL, path, ¶ms->args, &result); >+ if (ACPI_SUCCESS(params->retval)) >+ { >+ if (result.Pointer != NULL) >+ { >+ if (params->result.Pointer != NULL) >+ { >++ if (params->result.Length < sizeof(ACPI_OBJECT)) { >++ AcpiOsFree(result.Pointer); >++ return (EINVAL); >++ } >+ params->result.Length = min(params->result.Length, result.Length); >++ acpi_call_fixup_pointers((ACPI_OBJECT*)(result.Pointer), params->result.Pointer, result.Length); >+ copyout(result.Pointer, params->result.Pointer, >+ params->result.Length); >+ params->reslen = result.Length; >+- if (result.Length >= sizeof(ACPI_OBJECT)) >+- acpi_call_fixup_pointers((ACPI_OBJECT*)(params->result.Pointer), result.Pointer); >+ } >+ AcpiOsFree(result.Pointer); >+ } >+@@ -79,16 +85,24 @@ acpi_call_ioctl(u_long cmd, caddr_t addr, void *arg) >+ } >+ >+ void >+-acpi_call_fixup_pointers(ACPI_OBJECT *p, UINT8 *orig) >++acpi_call_fixup_pointers(ACPI_OBJECT *p, UINT8 *user, size_t len) >+ { >+ switch (p->Type) >+ { >+ case ACPI_TYPE_STRING: >+- p->String.Pointer = (char*)((UINT8*)(p->String.Pointer) - orig + (UINT8*)p); >+- break; >++ if ((char *)(p->String.Pointer + p->String.Length/sizeof(*p->String.Pointer)) <= (char *)p + len) { >++ p->String.Pointer = user + ( (char *)p->String.Pointer - (char *)p ); >++ return; >++ } >++ p->String.Pointer = NULL; >++ return; >+ case ACPI_TYPE_BUFFER: >+- p->Buffer.Pointer -= orig - (UINT8*)p; >+- break; >++ if ((char *)(p->Buffer.Pointer + p->Buffer.Length/sizeof(*p->Buffer.Pointer)) <= (char *)p + len) { >++ p->Buffer.Pointer = user + ( (char *)p->Buffer.Pointer - (char *)p ); >++ return; >++ } >++ p->Buffer.Pointer = NULL; >++ return; >+ } >+ } >+ > >Property changes on: sysutils/acpi_call/files/patch-acpi__call.c >___________________________________________________________________ >Added: fbsd:nokeywords >## -0,0 +1 ## >+yes >\ No newline at end of property >Added: svn:eol-style >## -0,0 +1 ## >+native >\ No newline at end of property >Added: svn:mime-type >## -0,0 +1 ## >+text/plain >\ No newline at end of property >Index: sysutils/acpi_call/files/patch-acpi__call__io.h >=================================================================== >--- sysutils/acpi_call/files/patch-acpi__call__io.h (nonexistent) >+++ sysutils/acpi_call/files/patch-acpi__call__io.h (working copy) >@@ -0,0 +1,15 @@ >+--- acpi_call_io.h.orig 2018-09-13 19:07:48 UTC >++++ acpi_call_io.h >+@@ -38,9 +38,12 @@ >+ # include <contrib/dev/acpica/actypes.h> >+ #endif >+ >++#define MAX_ACPI_PATH 1024 // XXX >++ >+ struct acpi_call_descr >+ { >+ char *path; >++ size_t path_len; >+ ACPI_OBJECT_LIST args; >+ ACPI_STATUS retval; >+ ACPI_BUFFER result; > >Property changes on: sysutils/acpi_call/files/patch-acpi__call__io.h >___________________________________________________________________ >Added: fbsd:nokeywords >## -0,0 +1 ## >+yes >\ No newline at end of property >Added: svn:eol-style >## -0,0 +1 ## >+native >\ No newline at end of property >Added: svn:mime-type >## -0,0 +1 ## >+text/plain >\ No newline at end of property >Index: sysutils/acpi_call/files/patch-acpi__call__util.c >=================================================================== >--- sysutils/acpi_call/files/patch-acpi__call__util.c (revision 479666) >+++ sysutils/acpi_call/files/patch-acpi__call__util.c (working copy) >@@ -1,5 +1,21 @@ > --- acpi_call_util.c.orig 2011-11-07 05:35:10 UTC > +++ acpi_call_util.c >+@@ -42,7 +42,6 @@ >+ #include <stdio.h> >+ #include <string.h> >+ >+-#define MAX_ACPI_PATH 1024 // XXX >+ #define MAX_ACPI_ARGS 7 >+ >+ char dev_path[MAXPATHLEN] = "/dev/acpi"; >+@@ -89,6 +88,7 @@ int main(int argc, char * argv[]) >+ fprintf(stderr, "Please specify path to method with -p flag\n"); >+ return 1; >+ } >++ params.path_len = strnlen(method_path, MAX_ACPI_PATH); >+ >+ if (verbose) >+ print_params(¶ms); > @@ -102,6 +102,7 @@ int main(int argc, char * argv[]) > if (ioctl(fd, ACPIIO_CALL, ¶ms) == -1) > {
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 230993
:
196667
|
197075
|
197077