216266 – ACPICA: Fix operand resolution, UBSAN: array-index-out-of-bounds in /home/kernel/COD/linux/drivers/acpi/acpica/dswexec.c

Bug 216266 - ACPICA: Fix operand resolution, UBSAN: array-index-out-of-bounds in /home/kernel/COD/linux/drivers/acpi/acpica/dswexec.c

Summary: ACPICA: Fix operand resolution, UBSAN: array-index-out-of-bounds in /home/ker...

Status:	NEW

Alias:	None

Product:	ACPI
Classification:	Unclassified
Component:	ACPICA-Core (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	acpi_acpica-core@kernel-bugs.osdl.org

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-07-21 13:28 UTC by Satadru Pramanik
Modified:	2022-10-24 16:32 UTC (History)
CC List:	3 users (show)

See Also:
Kernel Version:	5.17 5.18 5.19.0 6.0-rc1
Subsystem:
Regression:	Yes
Bisected commit-id:

Attachments
patch for ACPICA: Fix operand resolution adapted for kernel (660 bytes, patch) 2022-07-21 13:28 UTC, Satadru Pramanik	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

Description Satadru Pramanik 2022-07-21 13:28:24 UTC

Created attachment 301472 [details]
patch for ACPICA: Fix operand resolution adapted for kernel

This bug was reported upstream at https://github.com/acpica/acpica/issues/755

This is the error in dmesg:

[  710.521719] UBSAN: array-index-out-of-bounds in /home/kernel/COD/linux/drivers/acpi/acpica/dswexec.c:401:12
[  710.521721] index -1 is out of range for type 'acpi_operand_object *[9]'
[  710.521723] CPU: 4 PID: 16237 Comm: kworker/u16:25 Tainted: P           OE     5.17.0-051700rc6-generic #202202272330
[  710.521726] Hardware name: Apple Inc. MacBookPro11,3/Mac-2BD1B31983FE1663, BIOS 432.60.3.0.0 10/27/2021
[  710.521727] Workqueue: events_unbound async_run_entry_fn
[  710.521733] Call Trace:
[  710.521734]  <TASK>
[  710.521737]  show_stack+0x52/0x58
[  710.521743]  dump_stack_lvl+0x4c/0x63
[  710.521746]  dump_stack+0x10/0x12
[  710.521747]  ubsan_epilogue+0x9/0x45
[  710.521751]  __ubsan_handle_out_of_bounds.cold+0x44/0x49
[  710.521754]  acpi_ds_exec_end_op+0x1a1/0x798
[  710.521759]  acpi_ps_parse_loop+0x587/0x660
[  710.521762]  acpi_ps_parse_aml+0x1af/0x552
[  710.521764]  acpi_ps_execute_method+0x208/0x2ca
[  710.521766]  acpi_ns_evaluate+0x34e/0x4f0
[  710.521771]  acpi_evaluate_object+0x18e/0x3b4
[  710.521772]  ? acpi_ns_get_node+0xaa/0xb8
[  710.521774]  acpi_device_set_power+0x20b/0x360
[  710.521779]  acpi_pci_set_power_state+0x98/0x130
[  710.521784]  pci_power_up+0x15/0x80
[  710.521788]  pci_pm_resume_noirq+0x83/0x130
[  710.521790]  ? pci_pm_thaw_noirq+0x90/0x90
[  710.521794]  dpm_run_callback+0x69/0x160
[  710.521800]  device_resume_noirq+0x148/0x230
[  710.521802]  async_resume_noirq+0x1e/0x40
[  710.521803]  async_run_entry_fn+0x30/0x120
[  710.521805]  process_one_work+0x21c/0x3f0
[  710.521810]  worker_thread+0x50/0x3d0
[  710.521813]  ? rescuer_thread+0x390/0x390
[  710.521816]  kthread+0xeb/0x120
[  710.521819]  ? kthread_complete_and_exit+0x20/0x20
[  710.521822]  ret_from_fork+0x1f/0x30
[  710.521828]  </TASK>
[  710.521829] ================================================================================



This error goes away with the patch in https://github.com/acpica/acpica/pull/745 
Signed-off-by: Amadeusz Sławiński amadeuszx.slawinski@linux.intel.com
Reviewed-by: Cezary Rojewski cezary.rojewski@intel.com

(I have attached this patch adapted for application to the kernel.)


[    0.200396] kernel: ACPI: Disabled all _OSI OS vendors
[    0.200398] kernel: ACPI: Added _OSI(Module Device)
[    0.200399] kernel: ACPI: Added _OSI(Processor Device)
[    0.200401] kernel: ACPI: Added _OSI(3.0 _SCP Extensions)
[    0.200403] kernel: ACPI: Added _OSI(Processor Aggregator Device)
[    0.200405] kernel: ACPI: Added _OSI(Linux-Dell-Video)
[    0.200406] kernel: ACPI: Added _OSI(Linux-Lenovo-NV-HDMI-Audio)
[    0.200408] kernel: ACPI: Added _OSI(Linux-HPI-Hybrid-Graphics)
[    0.200410] kernel: ACPI: Added _OSI(Darwin)
[    0.214666] kernel: ACPI: 9 ACPI AML tables successfully acquired and loaded
[    0.215310] kernel: ACPI: EC: EC started
[    0.215312] kernel: ACPI: EC: interrupt blocked
[    0.216900] kernel: ACPI: EC: EC_CMD/EC_SC=0x66, EC_DATA=0x62
[    0.216903] kernel: ACPI: EC: Boot ECDT EC used to handle transactions
[    0.217064] kernel: ACPI: BIOS _OSI(Darwin) query honored via DMI
[    0.217601] kernel: ACPI: [Firmware Bug]: BIOS _OSI(Linux) query ignored
[    0.217690] kernel: ACPI Error: Needed type [Reference], found [Integer] 00000000cae04c1b (20220331/exresop-66)
[    0.217699] kernel: ACPI Error: AE_AML_OPERAND_TYPE, While resolving operands for [Store] (20220331/dswexec-433)
[    0.217706] kernel:
[    0.217708] kernel: No Local Variables are initialized for Method [_PDC]
[    0.217710] kernel:
[    0.217711] kernel: Initialized Arguments for Method [_PDC]:  (1 arguments defined for method invocation)
[    0.217713] kernel:   Arg0:   000000006489d999 <Obj>           Buffer(12) 01 00 00 00 01 00 00 00
[    0.217721] kernel:
[    0.217723] kernel: ACPI Error: Aborting method \_PR.CPU0._PDC due to previous error (AE_AML_OPERAND_TYPE) (20220331/psparse-529)
[    0.217976] kernel: ACPI: Dynamic OEM Table Load:
[    0.217984] kernel: ACPI: SSDT 0xFFFF95E9814DD800 00067C (v01 PmRef  ApIst    00003000 INTL 20100915)
[    0.218944] kernel: ACPI: Dynamic OEM Table Load:
[    0.218950] kernel: ACPI: SSDT 0xFFFF95E981225C00 000119 (v01 PmRef  ApCst    00003000 INTL 20100915)
[    0.220860] kernel: ACPI: Interpreter enabled
[    0.220877] kernel: ACPI: PM: (supports S0 S3 S4 S5)
[    0.220879] kernel: ACPI: Using IOAPIC for interrupt routing

Comment 1 Satadru Pramanik 2022-07-21 13:30:57 UTC

I have successfully applied this patch to 5.19-rc7, and it fixes the issue on my system.

Comment 2 Satadru Pramanik 2022-07-26 15:13:22 UTC

The patch also resolves this on 5.19-rc8.

Comment 3 Satadru Pramanik 2022-08-15 23:48:59 UTC

This patch also resolves this issue on 5.19.0 and 6.0-rc1.

Note You need to log in before you can comment on or make changes to this bug.