From nobody Wed Feb 11 11:06:22 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 50282C76188 for ; Wed, 5 Apr 2023 14:02:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237898AbjDEOC1 convert rfc822-to-8bit (ORCPT ); Wed, 5 Apr 2023 10:02:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42186 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238185AbjDEOBo (ORCPT ); Wed, 5 Apr 2023 10:01:44 -0400 Received: from cloudserver094114.home.pl (cloudserver094114.home.pl [79.96.170.134]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4263165A8; Wed, 5 Apr 2023 07:01:03 -0700 (PDT) Received: from localhost (127.0.0.1) (HELO v370.home.net.pl) by /usr/run/smtp (/usr/run/postfix/private/idea_relay_lmtp) via UNIX with SMTP (IdeaSmtpServer 5.1.0) id ba15fa655ef25601; Wed, 5 Apr 2023 16:01:01 +0200 Received: from kreacher.localnet (unknown [213.134.163.219]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by v370.home.net.pl (Postfix) with ESMTPSA id 2969D1B4E9E1; Wed, 5 Apr 2023 16:01:00 +0200 (CEST) From: "Rafael J. Wysocki" To: Linux ACPI Cc: LKML , Bob Moore Subject: [PATCH 18/32] ACPICA: Avoid undefined behavior: member access within misaligned address Date: Wed, 05 Apr 2023 15:46:30 +0200 Message-ID: <2438077.jE0xQCEvom@kreacher> In-Reply-To: <4845957.31r3eYUQgx@kreacher> References: <4845957.31r3eYUQgx@kreacher> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" X-CLIENT-IP: 213.134.163.219 X-CLIENT-HOSTNAME: 213.134.163.219 X-VADE-SPAMSTATE: clean X-VADE-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedvhedrvdejuddgjeduucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecujffqoffgrffnpdggtffipffknecuuegrihhlohhuthemucduhedtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpefhvfevufffkfgjfhgggfgtsehtqhertddttdejnecuhfhrohhmpedftfgrfhgrvghlucflrdcuhgihshhotghkihdfuceorhhjfiesrhhjfiihshhotghkihdrnhgvtheqnecuggftrfgrthhtvghrnhepfeetteevgfelhfefveeutefhudekleejgfeviedufefgleeuteeftedvieelleeinecuffhomhgrihhnpegrshgrnhdrshhopdhgihhthhhusgdrtghomhenucfkphepvddufedrudefgedrudeifedrvdduleenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpedvudefrddufeegrdduieefrddvudelpdhhvghlohepkhhrvggrtghhvghrrdhlohgtrghlnhgvthdpmhgrihhlfhhrohhmpedftfgrfhgrvghlucflrdcuhgihshhotghkihdfuceorhhjfiesrhhjfiihshhotghkihdrnhgvtheqpdhnsggprhgtphhtthhopeefpdhrtghpthhtoheplhhinhhugidqrggtphhisehvghgvrhdrkhgvrhhnvghlrdhorhhgpdhrtghpthhtoheplhhinhhugidqkhgvrhhnvghlsehvghgvrhdrkhgvrhhnvghlrdhorhhgpdhrtghpthhtoheprhhosggvrhhtrdhmohhorhgvsehinhhtvghlrdgtohhm X-DCC--Metrics: v370.home.net.pl 1024; Body=3 Fuz1=3 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Tamir Duberstein ACPICA commit 8ea5ada64b48dada42dbd5f0f58a9ce18f882ede Before this change we see the following UBSAN stack trace in Fuchsia: #0 0x000020d00518f81a in acpi_rs_convert_aml_to_resources(u8*, u32, u3= 2, u8, void**) ../../third_party/acpica/source/components/resources/rslist.= c:104 +0x2cd81a #1.2 0x00002348b567277f in ubsan_get_stack_trace() compiler-rt/lib/ubsan= /ubsan_diag.cpp:41 +0x3d77f #1.1 0x00002348b567277f in maybe_print_stack_trace() compiler-rt/lib/ubs= an/ubsan_diag.cpp:51 +0x3d77f #1 0x00002348b567277f in ~scoped_report() compiler-rt/lib/ubsan/ubsan_= diag.cpp:387 +0x3d77f #2 0x00002348b5673385 in handletype_mismatch_impl() compiler-rt/lib/ub= san/ubsan_handlers.cpp:137 +0x3e385 #3 0x00002348b5672ead in compiler-rt/lib/ubsan/ubsan_handlers.cpp:142 = +0x3dead #4 0x000020d00518f81a in acpi_rs_convert_aml_to_resources(u8*, u32, u3= 2, u8, void**) ../../third_party/acpica/source/components/resources/rslist.= c:104 +0x2cd81a #5 0x000020d0051b8ea9 in acpi_ut_walk_aml_resources(struct acpi_walk_s= tate*, u8*, acpi_size, acpi_walk_aml_callback, void**) ../../third_party/ac= pica/source/components/utilities/utresrc.c:234 +0x2f6e= a9 #6 0x000020d00518a806 in acpi_rs_create_resource_list(union acpi_opera= nd_object*, struct acpi_buffer*) ../../third_party/acpica/source/components= /resources/rscreate.c:199 +0x2c8806 #7 0x000020d005195ff2 in acpi_rs_get_method_data(acpi_handle, const ch= ar*, struct acpi_buffer*) ../../third_party/acpica/source/components/resour= ces/rsutils.c:770 +0x2d3ff2 #8 0x000020d00519636d in acpi_walk_resources(acpi_handle, char*, acpi_= walk_resource_callback, void*) ../../third_party/acpica/source/components/r= esources/rsxface.c:731 +0x2d436d #9 0x000020d004fadd48 in acpi::acpi_impl::walk_resources(acpi::acpi_im= pl*, acpi_handle, const char*, acpi::Acpi::resources_callable) ../../src/de= vices/board/lib/acpi/acpi-impl.cc:41 +0xebd48 #10 0x000020d004fb394d in acpi::device_builder::gather_resources(acpi::= device_builder*, acpi::Acpi*, fidl::any_arena&, acpi::Manager*, acpi::devic= e_builder::gather_resources_callback) ../../src/devices/board/lib/acpi/devi= ce-builder.cc:52 +0xf194d #11 0x000020d00503faf2 in acpi::Manager::configure_discovered_devices(a= cpi::Manager*) ../../src/devices/board/lib/acpi/manager.cc:75 +0x17daf2 #12 0x000020d004f67b44 in publish_acpi_devices(acpi::Manager*, zx_devic= e_t*, zx_device_t*) ../../src/devices/board/drivers/x86/acpi-nswalk.cc:102 = +0xa5b44 #13 0x000020d004f796f7 in x86::X86::do_init(x86::X86*) ../../src/device= s/board/drivers/x86/x86.cc:65 +0xb76f7 #14.1 0x000020d004f838ea in =CE=BB(x86::X86::ddk_init::(anon class)*) ../= ../src/devices/board/drivers/x86/x86.cc:82 +0xc18ea #14 0x000020d004f838ea in fit::internal::target<(lambda at../../src/dev= ices/board/drivers/x86/x86.cc:81:19), false, false, void>::invoke(void*) ..= /../sdk/lib/fit/include/lib/fit/internal/function.h:181 +0xc18ea #15.2 0x000020d0051c896c in fit::internal::function_base<16UL, false, voi= d()>::invoke(const fit::internal::function_base<16UL, false, void ()>*) ../= ../sdk/lib/fit/include/lib/fit/internal/function.h:505 +0x30696c #15.1 0x000020d0051c896c in fit::function_impl<16UL, false, void()>::oper= ator()(const fit::function_impl<16UL, false, void ()>*) ../../sdk/lib/fit/i= nclude/lib/fit/function.h:300 +0x30696c #15 0x000020d0051c896c in async::internal::retained_task::Handler(async= _dispatcher_t*, async_task_t*, zx_status_t) ../../zircon/system/ulib/async/= task.cc:25 +0x30696c #16.1 0x00002061a33d3d91 in =CE=BB(const driver_runtime::Dispatcher::post= _task::(anon class)*, std::__2::unique_ptr >, zx_status_t= ) ../../src/devices/bin/driver_runtime/dispatcher.cc:715 +0x4bd91 #16 0x00002061a33d3d91 in fit::internal::target<(lambda at../../src/dev= ices/bin/driver_runtime/dispatcher.cc:714:7), true, false, void, std::__2::= unique_ptr>, int>::invoke(void*, std::__2::unique_ptr >, int) ../../sdk/lib/fit/include/lib/fit/internal/function.= h:128 +0x4bd91 #17 0x00002061a33ccbc9 in fit::internal::function_base<24UL, true, void= (std::__2::unique_ptr>, int)>::invoke(const fit::internal= ::function_base<24UL, true, void (std::__2::unique_ptr >,= int)>*, std::__2::unique_ptr >, int) ../../sdk/lib/fit/i= nclude/lib/fit/internal/function.h:505 +0x44bc9 #18 0x00002061a33cc8dd in fit::callback_impl<24UL, true, void(std::__2:= :unique_ptr>, int)>::operator()(fit::callback_impl<24UL, = true, void (std::__2::unique_ptr >, int)>*, std::__2::uni= que_ptr >, int) ../../sdk/lib/fit/include/lib/fit/functio= n.h:451 +0x448dd #19 0x00002061a33bd6a6 in driver_runtime::callback_request::Call(driver= _runtime::callback_request*, std::__2::unique_ptr >, zx_s= tatus_t) ../../src/devices/bin/driver_runtime/callback_request.h:67 +0x356a6 #20 0x00002061a33c44c8 in driver_runtime::Dispatcher::dispatch_callback= (driver_runtime::Dispatcher*, std::__2::unique_ptr >) ../= ../src/devices/bin/driver_runtime/dispatcher.cc:1093 = +0x3c4c8 #21 0x00002061a33c52c1 in driver_runtime::Dispatcher::dispatch_callback= s(driver_runtime::Dispatcher*, std::__2::unique_ptr >, fbl::ref_ptr) ../../src/devices/b= in/driver_runtime/dispatcher.cc:1169 +0x3d2c1 #22.1 0x00002061a33d081e in =CE=BB(std::__2::unique_ptr >, fbl::ref_ptr, const driver_= runtime::Dispatcher::create_with_adder::(anon class)*) ../../src/devices/bi= n/driver_runtime/dispatcher.cc:338 +0x4881e #22 0x00002061a33d081e in fit::internal::target<(lambda at../../src/dev= ices/bin/driver_runtime/dispatcher.cc:337:7), true, false, void, std::__2::= unique_ptr>, fbl::ref_ptr>::invoke(void*, std::__2::unique_ptr >, fbl::ref_ptr) ../../sdk/lib/fit/inc= lude/lib/fit/internal/function.h:128 +0x4881e #23 0x00002061a33cce7e in fit::internal::function_base<8UL, true, void(= std::__2::unique_ptr>, fbl::ref_ptr)>::invoke(const fit::internal::function_base<8UL, tr= ue, void (std::__2::unique_ptr >, fbl::re= f_ptr)>*, std::__2::unique_ptr >, fbl::ref_ptr) ../../sdk/li= b/fit/include/lib/fit/internal/function.h:505 +0x44e7e #24.1 0x00002061a33c6964 in fit::function_impl<8UL, true, void(std::__2::= unique_ptr>, fbl::ref_ptr)>::operator()(const fit::function_impl<8UL, true, void (std::_= _2::unique_ptr >, fbl::ref_ptr)>*, std::__2::unique_ptr >, fbl::ref_ptr) ../../sdk/lib/fit/include/li= b/fit/function.h:300 +0x3e964 #24 0x00002061a33c6964 in driver_runtime::Dispatcher::event_waiter::inv= oke_callback(driver_runtime::Dispatcher::event_waiter*, std::__2::unique_pt= r >, fbl::ref_ptr) ../../src/devices/bin/driver_runtime/dispatcher.h:299 +0x3e964 #25 0x00002061a33c635d in driver_runtime::Dispatcher::event_waiter::han= dle_event(std::__2::unique_ptr >, async_d= ispatcher_t*, async::wait_base*, zx_status_t, zx_packet_signal_t const*) ..= /../src/devices/bin/driver_runtime/dispatcher.cc:1259 +0x3e35d #26.1 0x00002061a33d0c00 in async_loop_owned_event_handler::handle_event(async_loop_owned_event_handler*, zx_status_t, zx_packet_signal_t c= onst*, async_dispatcher_t*, async::wait_base*) ../../src/devices/bin/driver= _runtime/async_loop_owned_event_handler.h:59 +0x48c00 #26 0x00002061a33d0c00 in async::wait_method, &async_loop_owned_event_han= dler::handle_event>::call_handler= (async_dispatcher_t*, async_wait_t*, zx_status_t, zx_packet_signal_t const*= ) ../../zircon/system/ulib/async/include/lib/async/cpp/wait.h:201 +0x48c00 #27.1 0x00002061a33f2ead in async_loop_run_once(async_loop_t*, zx_time_t)= ../../zircon/system/ulib/async-loop/loop.c:415 +0x6a= ead #27 0x00002061a33f2ead in async_loop_run(async_loop_t*, zx_time_t, _Boo= l) ../../zircon/system/ulib/async-loop/loop.c:288 +0x= 6aead #28 0x00002061a33f478f in async_loop_run_thread(void*) ../../zircon/sys= tem/ulib/async-loop/loop.c:840 +0x6c78f #29 0x00004262135b7edc in start_c11(void*) ../../zircon/third_party/uli= b/musl/pthread/pthread_create.c:55 +0xd7edc #30 0x00004262136e896d in thread_trampoline(uintptr_t, uintptr_t) ../..= /zircon/system/ulib/runtime/thread.cc:100 +0x20896d Link: https://github.com/acpica/acpica/commit/8ea5ada6 Signed-off-by: Bob Moore Signed-off-by: Rafael J. Wysocki --- drivers/acpi/acpica/rslist.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/drivers/acpi/acpica/rslist.c b/drivers/acpi/acpica/rslist.c index e46efaa889cd..164c96e063c6 100644 --- a/drivers/acpi/acpica/rslist.c +++ b/drivers/acpi/acpica/rslist.c @@ -55,15 +55,21 @@ acpi_rs_convert_aml_to_resources(u8 * aml, aml_resource =3D ACPI_CAST_PTR(union aml_resource, aml); =20 if (acpi_ut_get_resource_type(aml) =3D=3D ACPI_RESOURCE_NAME_SERIAL_BUS) { - if (aml_resource->common_serial_bus.type > - AML_RESOURCE_MAX_SERIALBUSTYPE) { + + /* Avoid undefined behavior: member access within misaligned address */ + + struct aml_resource_common_serialbus common_serial_bus; + memcpy(&common_serial_bus, aml_resource, + sizeof(common_serial_bus)); + + if (common_serial_bus.type > AML_RESOURCE_MAX_SERIALBUSTYPE) { conversion_table =3D NULL; } else { /* This is an I2C, SPI, UART, or CSI2 serial_bus descriptor */ =20 conversion_table =3D acpi_gbl_convert_resource_serial_bus_dispatch - [aml_resource->common_serial_bus.type]; + [common_serial_bus.type]; } } else { conversion_table =3D --=20 2.35.3