From 7b23bdc37432f0b7fb6c3b6aa76debdcb7eb18c3 Mon Sep 17 00:00:00 2001 From: Tamir Duberstein Date: Tue, 28 Feb 2023 16:52:00 -0500 Subject: Avoid undefined behavior: member access within misaligned address MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Before this change we see the following UBSAN stack trace in Fuchsia: #0 0x00002132da6299a1 in AcpiUtValidateResource(ACPI_WALK_STATE*, void*, UINT8*) ../../third_party/acpica/source/components/utilities/utresrc.c:426 +0x2f79a1 #1.2 0x000023e6cd58577f in ubsan_GetStackTrace() compiler-rt/lib/ubsan/ubsan_diag.cpp:41 +0x3d77f #1.1 0x000023e6cd58577f in MaybePrintStackTrace() compiler-rt/lib/ubsan/ubsan_diag.cpp:51 +0x3d77f #1 0x000023e6cd58577f in ~ScopedReport() compiler-rt/lib/ubsan/ubsan_diag.cpp:387 +0x3d77f #2 0x000023e6cd586385 in handleTypeMismatchImpl() compiler-rt/lib/ubsan/ubsan_handlers.cpp:137 +0x3e385 #3 0x000023e6cd585ead in compiler-rt/lib/ubsan/ubsan_handlers.cpp:142 +0x3dead #4 0x00002132da6299a1 in AcpiUtValidateResource(ACPI_WALK_STATE*, void*, UINT8*) ../../third_party/acpica/source/components/utilities/utresrc.c:426 +0x2f79a1 #5 0x00002132da628ffe in AcpiUtWalkAmlResources(ACPI_WALK_STATE*, UINT8*, ACPI_SIZE, ACPI_WALK_AML_CALLBACK, void**) ../../third_party/acpica/source/components/utilities/utresrc.c:216 +0x2f6ffe #6 0x00002132da5b2405 in AcpiExConcatTemplate(ACPI_OPERAND_OBJECT*, ACPI_OPERAND_OBJECT*, ACPI_OPERAND_OBJECT**, ACPI_WALK_STATE*) ../../third_party/acpica/source/components/executer/exconcat.c:414 +0x280405 #7 0x00002132da5ad5a4 in AcpiExOpcode_2A_1T_1R(ACPI_WALK_STATE*) ../../third_party/acpica/source/components/executer/exoparg2.c:383 +0x27b5a4 #8 0x00002132da57ee7d in AcpiDsExecEndOp(ACPI_WALK_STATE*) ../../third_party/acpica/source/components/dispatcher/dswexec.c:482 +0x24ce7d #9 0x00002132da5ed196 in AcpiPsParseLoop(ACPI_WALK_STATE*) ../../third_party/acpica/source/components/parser/psloop.c:554 +0x2bb196 #10 0x00002132da5ea458 in AcpiPsParseAml(ACPI_WALK_STATE*) ../../third_party/acpica/source/components/parser/psparse.c:525 +0x2b8458 #11 0x00002132da5f8a92 in AcpiPsExecuteMethod(ACPI_EVALUATE_INFO*) ../../third_party/acpica/source/components/parser/psxface.c:244 +0x2c6a92 #12 0x00002132da55c2b2 in AcpiNsEvaluate(ACPI_EVALUATE_INFO*) ../../third_party/acpica/source/components/namespace/nseval.c:250 +0x22a2b2 #13 0x00002132da61fd45 in AcpiUtEvaluateObject(ACPI_NAMESPACE_NODE*, const char*, UINT32, ACPI_OPERAND_OBJECT**) ../../third_party/acpica/source/components/utilities/uteval.c:100 +0x2edd45 #14 0x00002132da606197 in AcpiRsGetMethodData(ACPI_HANDLE, const char*, ACPI_BUFFER*) ../../third_party/acpica/source/components/resources/rsutils.c:757 +0x2d4197 #15 0x00002132da60652d in AcpiWalkResources(ACPI_HANDLE, char*, ACPI_WALK_RESOURCE_CALLBACK, void*) ../../third_party/acpica/source/components/resources/rsxface.c:731 +0x2d452d #16 0x00002132da41dd48 in acpi::AcpiImpl::WalkResources(acpi::AcpiImpl*, ACPI_HANDLE, const char*, acpi::Acpi::ResourcesCallable) ../../src/devices/board/lib/acpi/acpi-impl.cc:41 +0xebd48 #17 0x00002132da42394d in acpi::DeviceBuilder::GatherResources(acpi::DeviceBuilder*, acpi::Acpi*, fidl::AnyArena&, acpi::Manager*, acpi::DeviceBuilder::GatherResourcesCallback) ../../src/devices/board/lib/acpi/device-builder.cc:52 +0xf194d #18 0x00002132da4afaf2 in acpi::Manager::ConfigureDiscoveredDevices(acpi::Manager*) ../../src/devices/board/lib/acpi/manager.cc:75 +0x17daf2 #19 0x00002132da3d7b44 in publish_acpi_devices(acpi::Manager*, zx_device_t*, zx_device_t*) ../../src/devices/board/drivers/x86/acpi-nswalk.cc:102 +0xa5b44 #20 0x00002132da3e96f7 in x86::X86::DoInit(x86::X86*) ../../src/devices/board/drivers/x86/x86.cc:65 +0xb76f7 #21.1 0x00002132da3f38ea in λ(x86::X86::DdkInit::(anon class)*) ../../src/devices/board/drivers/x86/x86.cc:82 +0xc18ea #21 0x00002132da3f38ea in fit::internal::target<(lambda at../../src/devices/board/drivers/x86/x86.cc:81:19), false, false, void>::invoke(void*) ../../sdk/lib/fit/include/lib/fit/internal/function.h:181 +0xc18ea #22.2 0x00002132da638c6c in fit::internal::function_base<16UL, false, void()>::invoke(const fit::internal::function_base<16UL, false, void ()>*) ../../sdk/lib/fit/include/lib/fit/internal/function.h:505 +0x306c6c #22.1 0x00002132da638c6c in fit::function_impl<16UL, false, void()>::operator()(const fit::function_impl<16UL, false, void ()>*) ../../sdk/lib/fit/include/lib/fit/function.h:300 +0x306c6c #22 0x00002132da638c6c in async::internal::RetainedTask::Handler(async_dispatcher_t*, async_task_t*, zx_status_t) ../../zircon/system/ulib/async/task.cc:25 +0x306c6c #23.1 0x000022c67b305d91 in λ(const driver_runtime::Dispatcher::PostTask::(anon class)*, std::__2::unique_ptr >, zx_status_t) ../../src/devices/bin/driver_runtime/dispatcher.cc:715 +0x4bd91 #23 0x000022c67b305d91 in fit::internal::target<(lambda at../../src/devices/bin/driver_runtime/dispatcher.cc:714:7), true, false, void, std::__2::unique_ptr>, int>::invoke(void*, std::__2::unique_ptr >, int) ../../sdk/lib/fit/include/lib/fit/internal/function.h:128 +0x4bd91 #24 0x000022c67b2febc9 in fit::internal::function_base<24UL, true, void(std::__2::unique_ptr>, int)>::invoke(const fit::internal::function_base<24UL, true, void (std::__2::unique_ptr >, int)>*, std::__2::unique_ptr >, int) ../../sdk/lib/fit/include/lib/fit/internal/function.h:505 +0x44bc9 #25 0x000022c67b2fe8dd in fit::callback_impl<24UL, true, void(std::__2::unique_ptr>, int)>::operator()(fit::callback_impl<24UL, true, void (std::__2::unique_ptr >, int)>*, std::__2::unique_ptr >, int) ../../sdk/lib/fit/include/lib/fit/function.h:451 +0x448dd #26 0x000022c67b2ef6a6 in driver_runtime::CallbackRequest::Call(driver_runtime::CallbackRequest*, std::__2::unique_ptr >, zx_status_t) ../../src/devices/bin/driver_runtime/callback_request.h:67 +0x356a6 #27 0x000022c67b2f64c8 in driver_runtime::Dispatcher::DispatchCallback(driver_runtime::Dispatcher*, std::__2::unique_ptr >) ../../src/devices/bin/driver_runtime/dispatcher.cc:1093 +0x3c4c8 #28 0x000022c67b2f72c1 in driver_runtime::Dispatcher::DispatchCallbacks(driver_runtime::Dispatcher*, std::__2::unique_ptr >, fbl::RefPtr) ../../src/devices/bin/driver_runtime/dispatcher.cc:1169 +0x3d2c1 #29.1 0x000022c67b30281e in λ(std::__2::unique_ptr >, fbl::RefPtr, const driver_runtime::Dispatcher::CreateWithAdder::(anon class)*) ../../src/devices/bin/driver_runtime/dispatcher.cc:338 +0x4881e #29 0x000022c67b30281e in fit::internal::target<(lambda at../../src/devices/bin/driver_runtime/dispatcher.cc:337:7), true, false, void, std::__2::unique_ptr>, fbl::RefPtr>::invoke(void*, std::__2::unique_ptr >, fbl::RefPtr) ../../sdk/lib/fit/include/lib/fit/internal/function.h:128 +0x4881e #30 0x000022c67b2fee7e in fit::internal::function_base<8UL, true, void(std::__2::unique_ptr>, fbl::RefPtr)>::invoke(const fit::internal::function_base<8UL, true, void (std::__2::unique_ptr >, fbl::RefPtr)>*, std::__2::unique_ptr >, fbl::RefPtr) ../../sdk/lib/fit/include/lib/fit/internal/function.h:505 +0x44e7e #31.1 0x000022c67b2f8964 in fit::function_impl<8UL, true, void(std::__2::unique_ptr>, fbl::RefPtr)>::operator()(const fit::function_impl<8UL, true, void (std::__2::unique_ptr >, fbl::RefPtr)>*, std::__2::unique_ptr >, fbl::RefPtr) ../../sdk/lib/fit/include/lib/fit/function.h:300 +0x3e964 #31 0x000022c67b2f8964 in driver_runtime::Dispatcher::EventWaiter::InvokeCallback(driver_runtime::Dispatcher::EventWaiter*, std::__2::unique_ptr >, fbl::RefPtr) ../../src/devices/bin/driver_runtime/dispatcher.h:299 +0x3e964 #32 0x000022c67b2f835d in driver_runtime::Dispatcher::EventWaiter::HandleEvent(std::__2::unique_ptr >, async_dispatcher_t*, async::WaitBase*, zx_status_t, zx_packet_signal_t const*) ../../src/devices/bin/driver_runtime/dispatcher.cc:1259 +0x3e35d #33.1 0x000022c67b302c00 in AsyncLoopOwnedEventHandler::HandleEvent(AsyncLoopOwnedEventHandler*, zx_status_t, zx_packet_signal_t const*, async_dispatcher_t*, async::WaitBase*) ../../src/devices/bin/driver_runtime/async_loop_owned_event_handler.h:59 +0x48c00 #33 0x000022c67b302c00 in async::WaitMethod, &AsyncLoopOwnedEventHandler::HandleEvent>::CallHandler(async_dispatcher_t*, async_wait_t*, zx_status_t, zx_packet_signal_t const*) ../../zircon/system/ulib/async/include/lib/async/cpp/wait.h:201 +0x48c00 #34.1 0x000022c67b324ead in async_loop_run_once(async_loop_t*, zx_time_t) ../../zircon/system/ulib/async-loop/loop.c:415 +0x6aead #34 0x000022c67b324ead in async_loop_run(async_loop_t*, zx_time_t, _Bool) ../../zircon/system/ulib/async-loop/loop.c:288 +0x6aead #35 0x000022c67b32678f in async_loop_run_thread(void*) ../../zircon/system/ulib/async-loop/loop.c:840 +0x6c78f #36 0x0000431cc3246edc in start_c11(void*) ../../zircon/third_party/ulib/musl/pthread/pthread_create.c:55 +0xd7edc #37 0x0000431cc337796d in thread_trampoline(uintptr_t, uintptr_t) ../../zircon/system/ulib/runtime/thread.cc:100 +0x20896d --- source/components/utilities/utresrc.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/source/components/utilities/utresrc.c b/source/components/utilities/utresrc.c index 7898e9929..f47b29246 100644 --- a/source/components/utilities/utresrc.c +++ b/source/components/utilities/utresrc.c @@ -532,16 +532,21 @@ AcpiUtValidateResource ( AmlResource = ACPI_CAST_PTR (AML_RESOURCE, Aml); if (ResourceType == ACPI_RESOURCE_NAME_SERIAL_BUS) { + /* Avoid undefined behavior: member access within misaligned address */ + + AML_RESOURCE_COMMON_SERIALBUS CommonSerialBus; + memcpy(&CommonSerialBus, AmlResource, sizeof(CommonSerialBus)); + /* Validate the BusType field */ - if ((AmlResource->CommonSerialBus.Type == 0) || - (AmlResource->CommonSerialBus.Type > AML_RESOURCE_MAX_SERIALBUSTYPE)) + if ((CommonSerialBus.Type == 0) || + (CommonSerialBus.Type > AML_RESOURCE_MAX_SERIALBUSTYPE)) { if (WalkState) { ACPI_ERROR ((AE_INFO, "Invalid/unsupported SerialBus resource descriptor: BusType 0x%2.2X", - AmlResource->CommonSerialBus.Type)); + CommonSerialBus.Type)); } return (AE_AML_INVALID_RESOURCE_TYPE); } -- cgit v1.2.1