From 61388f9e5d93053cf399a356414f31f9b4814c6d Mon Sep 17 00:00:00 2001 From: Bob Moore Date: Wed, 8 May 2013 04:01:15 +0000 Subject: [PATCH 1/3] ACPICA: Fix possible buffer overflow during a field unit read operation Can only happen under these conditions: 1) The DSDT version is 1, meaning integers are 32-bits. 2) The field is between 33 and 64 bits long. It applies cleanly back to ACPICA 20100806+ (Linux v2.6.37+). Signed-off-by: Bob Moore Signed-off-by: Lv Zheng Cc: 2.6.37+ Signed-off-by: Rafael J. Wysocki --- drivers/acpi/acpica/exfldio.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/drivers/acpi/acpica/exfldio.c b/drivers/acpi/acpica/exfldio.c index ec7f5690031b..c84ee956fa4c 100644 --- a/drivers/acpi/acpica/exfldio.c +++ b/drivers/acpi/acpica/exfldio.c @@ -720,7 +720,19 @@ acpi_ex_extract_from_field(union acpi_operand_object *obj_desc, if ((obj_desc->common_field.start_field_bit_offset == 0) && (obj_desc->common_field.bit_length == access_bit_width)) { - status = acpi_ex_field_datum_io(obj_desc, 0, buffer, ACPI_READ); + if (buffer_length >= sizeof(u64)) { + status = + acpi_ex_field_datum_io(obj_desc, 0, buffer, + ACPI_READ); + } else { + /* Use raw_datum (u64) to handle buffers < 64 bits */ + + status = + acpi_ex_field_datum_io(obj_desc, 0, &raw_datum, + ACPI_READ); + ACPI_MEMCPY(buffer, &raw_datum, buffer_length); + } + return_ACPI_STATUS(status); } From 3aa2eeacb559e9901153d3b084ade81515b0967e Mon Sep 17 00:00:00 2001 From: Jung-uk Kim Date: Wed, 8 May 2013 04:01:49 +0000 Subject: [PATCH 2/3] ACPICA: _OSI support: Fix possible memory leak Fixes a possible memory leak in the error exit path introduced by recent commit 388a990 ("ACPICA: _OSI Support: handle any errors from acpi_os_acquire_mutex()"). [rjw: Changelog] Signed-off-by: Jung-uk Kim Signed-off-by: Bob Moore Signed-off-by: Lv Zheng Signed-off-by: Rafael J. Wysocki --- drivers/acpi/acpica/utosi.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/acpi/acpica/utosi.c b/drivers/acpi/acpica/utosi.c index b15acebb96a1..7e807725c636 100644 --- a/drivers/acpi/acpica/utosi.c +++ b/drivers/acpi/acpica/utosi.c @@ -349,7 +349,8 @@ acpi_status acpi_ut_osi_implementation(struct acpi_walk_state * walk_state) return_value = 0; status = acpi_os_acquire_mutex(acpi_gbl_osi_mutex, ACPI_WAIT_FOREVER); if (ACPI_FAILURE(status)) { - return (status); + acpi_ut_remove_reference(return_desc); + return_ACPI_STATUS(status); } /* Lookup the interface in the global _OSI list */ From 04a29a15520463e072b1a98d8989f04233ee4a7e Mon Sep 17 00:00:00 2001 From: Tomasz Nowicki Date: Wed, 8 May 2013 04:02:06 +0000 Subject: [PATCH 3/3] ACPICA: ACPICA: Fix for _INI regression This change fixes a problem introduced by recent commit c34c82b (ACPICA: Predefine names: Add allowed argument types to master info table) in 20130328 where _INI methods are no longer executed properly because of a memory block that is not initialized properly. ACPICA BZ1016. Tomasz Nowicki References: https://bugs.acpica.org/show_bug.cgi?id=1016 Signed-off-by: Tomasz Nowicki Signed-off-by: Bob Moore Signed-off-by: Lv Zheng Signed-off-by: Rafael J. Wysocki --- drivers/acpi/acpica/nsinit.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/acpi/acpica/nsinit.c b/drivers/acpi/acpica/nsinit.c index 2a431ec50a25..46f0f83417a1 100644 --- a/drivers/acpi/acpica/nsinit.c +++ b/drivers/acpi/acpica/nsinit.c @@ -558,6 +558,7 @@ acpi_ns_init_one_device(acpi_handle obj_handle, ACPI_DEBUG_EXEC(acpi_ut_display_init_pathname (ACPI_TYPE_METHOD, device_node, METHOD_NAME__INI)); + ACPI_MEMSET(info, 0, sizeof(struct acpi_evaluate_info)); info->prefix_node = device_node; info->pathname = METHOD_NAME__INI; info->parameters = NULL;