2018-03-15 07:13:07 +08:00
|
|
|
// SPDX-License-Identifier: BSD-3-Clause OR GPL-2.0
|
2005-04-17 06:20:36 +08:00
|
|
|
/*******************************************************************************
|
|
|
|
*
|
2006-05-27 04:36:00 +08:00
|
|
|
* Module Name: nseval - Object evaluation, includes control method execution
|
2005-04-17 06:20:36 +08:00
|
|
|
*
|
|
|
|
******************************************************************************/
|
|
|
|
|
|
|
|
#include <acpi/acpi.h>
|
2009-01-09 13:30:03 +08:00
|
|
|
#include "accommon.h"
|
|
|
|
#include "acparser.h"
|
|
|
|
#include "acinterp.h"
|
|
|
|
#include "acnamesp.h"
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
#define _COMPONENT ACPI_NAMESPACE
|
2005-08-05 12:44:28 +08:00
|
|
|
ACPI_MODULE_NAME("nseval")
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
/*******************************************************************************
|
|
|
|
*
|
2006-05-27 04:36:00 +08:00
|
|
|
* FUNCTION: acpi_ns_evaluate
|
2005-04-17 06:20:36 +08:00
|
|
|
*
|
2015-07-01 14:45:38 +08:00
|
|
|
* PARAMETERS: info - Evaluation info block, contains these fields
|
|
|
|
* and more:
|
2006-05-27 04:36:00 +08:00
|
|
|
* prefix_node - Prefix or Method/Object Node to execute
|
2013-05-30 10:00:01 +08:00
|
|
|
* relative_path - Name of method to execute, If NULL, the
|
2006-05-27 04:36:00 +08:00
|
|
|
* Node is the object to execute
|
2012-07-12 09:40:10 +08:00
|
|
|
* parameters - List of parameters to pass to the method,
|
2005-04-19 10:49:35 +08:00
|
|
|
* terminated by NULL. Params itself may be
|
2005-04-17 06:20:36 +08:00
|
|
|
* NULL if no parameters are being passed.
|
2005-04-19 10:49:35 +08:00
|
|
|
* parameter_type - Type of Parameter list
|
|
|
|
* return_object - Where to put method's return value (if
|
|
|
|
* any). If NULL, no value is returned.
|
2012-07-12 09:40:10 +08:00
|
|
|
* flags - ACPI_IGNORE_RETURN_VALUE to delete return
|
2005-04-17 06:20:36 +08:00
|
|
|
*
|
|
|
|
* RETURN: Status
|
|
|
|
*
|
2006-05-27 04:36:00 +08:00
|
|
|
* DESCRIPTION: Execute a control method or return the current value of an
|
|
|
|
* ACPI namespace object.
|
2005-04-17 06:20:36 +08:00
|
|
|
*
|
2006-05-27 04:36:00 +08:00
|
|
|
* MUTEX: Locks interpreter
|
2005-04-17 06:20:36 +08:00
|
|
|
*
|
|
|
|
******************************************************************************/
|
2013-05-30 10:00:01 +08:00
|
|
|
acpi_status acpi_ns_evaluate(struct acpi_evaluate_info *info)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2005-08-05 12:44:28 +08:00
|
|
|
acpi_status status;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2006-05-27 04:36:00 +08:00
|
|
|
ACPI_FUNCTION_TRACE(ns_evaluate);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
if (!info) {
|
2005-08-05 12:44:28 +08:00
|
|
|
return_ACPI_STATUS(AE_BAD_PARAMETER);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2013-05-30 10:00:01 +08:00
|
|
|
if (!info->node) {
|
2013-04-12 08:24:22 +08:00
|
|
|
/*
|
2013-05-30 10:00:01 +08:00
|
|
|
* Get the actual namespace node for the target object if we
|
|
|
|
* need to. Handles these cases:
|
2013-04-12 08:24:22 +08:00
|
|
|
*
|
2013-05-30 10:00:01 +08:00
|
|
|
* 1) Null node, valid pathname from root (absolute path)
|
|
|
|
* 2) Node and valid pathname (path relative to Node)
|
|
|
|
* 3) Node, Null pathname
|
2013-04-12 08:24:22 +08:00
|
|
|
*/
|
2013-05-30 10:00:01 +08:00
|
|
|
status =
|
|
|
|
acpi_ns_get_node(info->prefix_node, info->relative_pathname,
|
|
|
|
ACPI_NS_NO_UPSEARCH, &info->node);
|
2013-04-12 08:24:22 +08:00
|
|
|
if (ACPI_FAILURE(status)) {
|
|
|
|
return_ACPI_STATUS(status);
|
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
2013-05-30 10:00:01 +08:00
|
|
|
* For a method alias, we must grab the actual method node so that
|
|
|
|
* proper scoping context will be established before execution.
|
2005-04-17 06:20:36 +08:00
|
|
|
*/
|
2013-05-30 10:00:01 +08:00
|
|
|
if (acpi_ns_get_type(info->node) == ACPI_TYPE_LOCAL_METHOD_ALIAS) {
|
|
|
|
info->node =
|
2005-08-05 12:44:28 +08:00
|
|
|
ACPI_CAST_PTR(struct acpi_namespace_node,
|
2013-05-30 10:00:01 +08:00
|
|
|
info->node->object);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Complete the info block initialization */
|
|
|
|
|
|
|
|
info->return_object = NULL;
|
|
|
|
info->node_flags = info->node->flags;
|
|
|
|
info->obj_desc = acpi_ns_get_attached_object(info->node);
|
|
|
|
|
|
|
|
ACPI_DEBUG_PRINT((ACPI_DB_NAMES, "%s [%p] Value %p\n",
|
|
|
|
info->relative_pathname, info->node,
|
|
|
|
acpi_ns_get_attached_object(info->node)));
|
|
|
|
|
|
|
|
/* Get info if we have a predefined name (_HID, etc.) */
|
|
|
|
|
|
|
|
info->predefined =
|
|
|
|
acpi_ut_match_predefined_method(info->node->name.ascii);
|
|
|
|
|
|
|
|
/* Get the full pathname to the object, for use in warning messages */
|
|
|
|
|
2015-12-29 13:53:50 +08:00
|
|
|
info->full_pathname = acpi_ns_get_normalized_pathname(info->node, TRUE);
|
2013-05-30 10:00:01 +08:00
|
|
|
if (!info->full_pathname) {
|
|
|
|
return_ACPI_STATUS(AE_NO_MEMORY);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2018-12-14 04:30:33 +08:00
|
|
|
/* Optional object evaluation log */
|
|
|
|
|
|
|
|
ACPI_DEBUG_PRINT_RAW((ACPI_DB_EVALUATION,
|
|
|
|
"%-26s: %s (%s)\n", " Enter evaluation",
|
|
|
|
&info->full_pathname[1],
|
|
|
|
acpi_ut_get_type_name(info->node->type)));
|
|
|
|
|
2013-05-30 10:00:01 +08:00
|
|
|
/* Count the number of arguments being passed in */
|
|
|
|
|
|
|
|
info->param_count = 0;
|
|
|
|
if (info->parameters) {
|
|
|
|
while (info->parameters[info->param_count]) {
|
|
|
|
info->param_count++;
|
|
|
|
}
|
2006-05-27 04:36:00 +08:00
|
|
|
|
2013-05-30 10:00:01 +08:00
|
|
|
/* Warn on impossible argument count */
|
|
|
|
|
|
|
|
if (info->param_count > ACPI_METHOD_NUM_ARGS) {
|
|
|
|
ACPI_WARN_PREDEFINED((AE_INFO, info->full_pathname,
|
|
|
|
ACPI_WARN_ALWAYS,
|
|
|
|
"Excess arguments (%u) - using only %u",
|
|
|
|
info->param_count,
|
|
|
|
ACPI_METHOD_NUM_ARGS));
|
|
|
|
|
|
|
|
info->param_count = ACPI_METHOD_NUM_ARGS;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* For predefined names: Check that the declared argument count
|
|
|
|
* matches the ACPI spec -- otherwise this is a BIOS error.
|
|
|
|
*/
|
|
|
|
acpi_ns_check_acpi_compliance(info->full_pathname, info->node,
|
|
|
|
info->predefined);
|
2008-09-28 15:26:17 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
2013-05-30 10:00:01 +08:00
|
|
|
* For all names: Check that the incoming argument count for
|
|
|
|
* this method/object matches the actual ASL/AML definition.
|
|
|
|
*/
|
|
|
|
acpi_ns_check_argument_count(info->full_pathname, info->node,
|
|
|
|
info->param_count, info->predefined);
|
|
|
|
|
|
|
|
/* For predefined names: Typecheck all incoming arguments */
|
|
|
|
|
|
|
|
acpi_ns_check_argument_types(info);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Three major evaluation cases:
|
2005-04-17 06:20:36 +08:00
|
|
|
*
|
2013-05-30 10:00:01 +08:00
|
|
|
* 1) Object types that cannot be evaluated by definition
|
|
|
|
* 2) The object is a control method -- execute it
|
|
|
|
* 3) The object is not a method -- just return it's current value
|
2005-04-17 06:20:36 +08:00
|
|
|
*/
|
2013-05-30 10:00:01 +08:00
|
|
|
switch (acpi_ns_get_type(info->node)) {
|
2018-02-16 05:09:27 +08:00
|
|
|
case ACPI_TYPE_ANY:
|
2013-05-30 10:00:01 +08:00
|
|
|
case ACPI_TYPE_DEVICE:
|
|
|
|
case ACPI_TYPE_EVENT:
|
|
|
|
case ACPI_TYPE_MUTEX:
|
|
|
|
case ACPI_TYPE_REGION:
|
|
|
|
case ACPI_TYPE_THERMAL:
|
|
|
|
case ACPI_TYPE_LOCAL_SCOPE:
|
|
|
|
/*
|
2018-02-16 05:09:27 +08:00
|
|
|
* 1) Disallow evaluation of these object types. For these,
|
|
|
|
* object evaluation is undefined.
|
2013-05-30 10:00:01 +08:00
|
|
|
*/
|
|
|
|
ACPI_ERROR((AE_INFO,
|
2018-02-16 05:09:27 +08:00
|
|
|
"%s: This object type [%s] "
|
|
|
|
"never contains data and cannot be evaluated",
|
2013-05-30 10:00:01 +08:00
|
|
|
info->full_pathname,
|
|
|
|
acpi_ut_get_type_name(info->node->type)));
|
|
|
|
|
|
|
|
status = AE_TYPE;
|
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
case ACPI_TYPE_METHOD:
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
2013-05-30 10:00:01 +08:00
|
|
|
* 2) Object is a control method - execute it
|
2005-04-17 06:20:36 +08:00
|
|
|
*/
|
|
|
|
|
2006-05-27 04:36:00 +08:00
|
|
|
/* Verify that there is a method object associated with this node */
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2006-05-27 04:36:00 +08:00
|
|
|
if (!info->obj_desc) {
|
|
|
|
ACPI_ERROR((AE_INFO,
|
2013-05-30 10:00:01 +08:00
|
|
|
"%s: Method has no attached sub-object",
|
|
|
|
info->full_pathname));
|
|
|
|
status = AE_NULL_OBJECT;
|
|
|
|
goto cleanup;
|
2006-05-27 04:36:00 +08:00
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2006-05-27 04:36:00 +08:00
|
|
|
ACPI_DEBUG_PRINT((ACPI_DB_EXEC,
|
2013-05-30 10:00:01 +08:00
|
|
|
"**** Execute method [%s] at AML address %p length %X\n",
|
|
|
|
info->full_pathname,
|
2006-05-27 04:36:00 +08:00
|
|
|
info->obj_desc->method.aml_start + 1,
|
|
|
|
info->obj_desc->method.aml_length - 1));
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2006-05-27 04:36:00 +08:00
|
|
|
/*
|
|
|
|
* Any namespace deletion must acquire both the namespace and
|
|
|
|
* interpreter locks to ensure that no thread is using the portion of
|
|
|
|
* the namespace that is being deleted.
|
|
|
|
*
|
|
|
|
* Execute the method via the interpreter. The interpreter is locked
|
|
|
|
* here before calling into the AML parser
|
|
|
|
*/
|
2007-05-10 10:56:38 +08:00
|
|
|
acpi_ex_enter_interpreter();
|
2006-05-27 04:36:00 +08:00
|
|
|
status = acpi_ps_execute_method(info);
|
|
|
|
acpi_ex_exit_interpreter();
|
2013-05-30 10:00:01 +08:00
|
|
|
break;
|
|
|
|
|
|
|
|
default:
|
2006-05-27 04:36:00 +08:00
|
|
|
/*
|
2013-05-30 10:00:01 +08:00
|
|
|
* 3) All other non-method objects -- get the current object value
|
2006-05-27 04:36:00 +08:00
|
|
|
*/
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2006-05-27 04:36:00 +08:00
|
|
|
/*
|
2013-05-30 10:00:01 +08:00
|
|
|
* Some objects require additional resolution steps (e.g., the Node
|
|
|
|
* may be a field that must be read, etc.) -- we can't just grab
|
|
|
|
* the object out of the node.
|
2006-05-27 04:36:00 +08:00
|
|
|
*
|
|
|
|
* Use resolve_node_to_value() to get the associated value.
|
|
|
|
*
|
|
|
|
* NOTE: we can get away with passing in NULL for a walk state because
|
2013-05-30 10:00:01 +08:00
|
|
|
* the Node is guaranteed to not be a reference to either a method
|
2006-05-27 04:36:00 +08:00
|
|
|
* local or a method argument (because this interface is never called
|
|
|
|
* from a running method.)
|
|
|
|
*
|
|
|
|
* Even though we do not directly invoke the interpreter for object
|
2013-05-30 10:00:01 +08:00
|
|
|
* resolution, we must lock it because we could access an op_region.
|
|
|
|
* The op_region access code assumes that the interpreter is locked.
|
2006-05-27 04:36:00 +08:00
|
|
|
*/
|
2007-05-10 10:56:38 +08:00
|
|
|
acpi_ex_enter_interpreter();
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2013-05-30 10:00:01 +08:00
|
|
|
/* TBD: resolve_node_to_value has a strange interface, fix */
|
|
|
|
|
|
|
|
info->return_object =
|
|
|
|
ACPI_CAST_PTR(union acpi_operand_object, info->node);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2006-05-27 04:36:00 +08:00
|
|
|
status =
|
2013-05-30 10:00:01 +08:00
|
|
|
acpi_ex_resolve_node_to_value(ACPI_CAST_INDIRECT_PTR
|
|
|
|
(struct acpi_namespace_node,
|
|
|
|
&info->return_object), NULL);
|
2006-05-27 04:36:00 +08:00
|
|
|
acpi_ex_exit_interpreter();
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2013-05-30 10:00:01 +08:00
|
|
|
if (ACPI_FAILURE(status)) {
|
2015-08-25 10:28:26 +08:00
|
|
|
info->return_object = NULL;
|
2013-05-30 10:00:01 +08:00
|
|
|
goto cleanup;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
2013-05-30 10:00:01 +08:00
|
|
|
|
|
|
|
ACPI_DEBUG_PRINT((ACPI_DB_NAMES, "Returned object %p [%s]\n",
|
|
|
|
info->return_object,
|
|
|
|
acpi_ut_get_object_type_name(info->
|
|
|
|
return_object)));
|
|
|
|
|
|
|
|
status = AE_CTRL_RETURN_VALUE; /* Always has a "return value" */
|
|
|
|
break;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2008-11-13 11:19:24 +08:00
|
|
|
/*
|
2013-05-30 10:00:01 +08:00
|
|
|
* For predefined names, check the return value against the ACPI
|
|
|
|
* specification. Some incorrect return value types are repaired.
|
2008-11-13 11:19:24 +08:00
|
|
|
*/
|
2013-05-30 10:00:01 +08:00
|
|
|
(void)acpi_ns_check_return_value(info->node, info, info->param_count,
|
|
|
|
status, &info->return_object);
|
2008-09-28 15:26:17 +08:00
|
|
|
|
|
|
|
/* Check if there is a return value that must be dealt with */
|
|
|
|
|
2006-05-27 04:36:00 +08:00
|
|
|
if (status == AE_CTRL_RETURN_VALUE) {
|
|
|
|
|
|
|
|
/* If caller does not want the return value, delete it */
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2006-05-27 04:36:00 +08:00
|
|
|
if (info->flags & ACPI_IGNORE_RETURN_VALUE) {
|
|
|
|
acpi_ut_remove_reference(info->return_object);
|
|
|
|
info->return_object = NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Map AE_CTRL_RETURN_VALUE to AE_OK, we are done with it */
|
|
|
|
|
|
|
|
status = AE_OK;
|
ACPICA: acpi: acpica: fix acpi operand cache leak in nseval.c
I found an ACPI cache leak in ACPI early termination and boot continuing case.
When early termination occurs due to malicious ACPI table, Linux kernel
terminates ACPI function and continues to boot process. While kernel terminates
ACPI function, kmem_cache_destroy() reports Acpi-Operand cache leak.
Boot log of ACPI operand cache leak is as follows:
>[ 0.464168] ACPI: Added _OSI(Module Device)
>[ 0.467022] ACPI: Added _OSI(Processor Device)
>[ 0.469376] ACPI: Added _OSI(3.0 _SCP Extensions)
>[ 0.471647] ACPI: Added _OSI(Processor Aggregator Device)
>[ 0.477997] ACPI Error: Null stack entry at ffff880215c0aad8 (20170303/exresop-174)
>[ 0.482706] ACPI Exception: AE_AML_INTERNAL, While resolving operands for [opcode_name unavailable] (20170303/dswexec-461)
>[ 0.487503] ACPI Error: Method parse/execution failed [\DBG] (Node ffff88021710ab40), AE_AML_INTERNAL (20170303/psparse-543)
>[ 0.492136] ACPI Error: Method parse/execution failed [\_SB._INI] (Node ffff88021710a618), AE_AML_INTERNAL (20170303/psparse-543)
>[ 0.497683] ACPI: Interpreter enabled
>[ 0.499385] ACPI: (supports S0)
>[ 0.501151] ACPI: Using IOAPIC for interrupt routing
>[ 0.503342] ACPI Error: Null stack entry at ffff880215c0aad8 (20170303/exresop-174)
>[ 0.506522] ACPI Exception: AE_AML_INTERNAL, While resolving operands for [opcode_name unavailable] (20170303/dswexec-461)
>[ 0.510463] ACPI Error: Method parse/execution failed [\DBG] (Node ffff88021710ab40), AE_AML_INTERNAL (20170303/psparse-543)
>[ 0.514477] ACPI Error: Method parse/execution failed [\_PIC] (Node ffff88021710ab18), AE_AML_INTERNAL (20170303/psparse-543)
>[ 0.518867] ACPI Exception: AE_AML_INTERNAL, Evaluating _PIC (20170303/bus-991)
>[ 0.522384] kmem_cache_destroy Acpi-Operand: Slab cache still has objects
>[ 0.524597] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc5 #26
>[ 0.526795] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS virtual_box 12/01/2006
>[ 0.529668] Call Trace:
>[ 0.530811] ? dump_stack+0x5c/0x81
>[ 0.532240] ? kmem_cache_destroy+0x1aa/0x1c0
>[ 0.533905] ? acpi_os_delete_cache+0xa/0x10
>[ 0.535497] ? acpi_ut_delete_caches+0x3f/0x7b
>[ 0.537237] ? acpi_terminate+0xa/0x14
>[ 0.538701] ? acpi_init+0x2af/0x34f
>[ 0.540008] ? acpi_sleep_proc_init+0x27/0x27
>[ 0.541593] ? do_one_initcall+0x4e/0x1a0
>[ 0.543008] ? kernel_init_freeable+0x19e/0x21f
>[ 0.546202] ? rest_init+0x80/0x80
>[ 0.547513] ? kernel_init+0xa/0x100
>[ 0.548817] ? ret_from_fork+0x25/0x30
>[ 0.550587] vgaarb: loaded
>[ 0.551716] EDAC MC: Ver: 3.0.0
>[ 0.553744] PCI: Probing PCI hardware
>[ 0.555038] PCI host bridge to bus 0000:00
> ... Continue to boot and log is omitted ...
I analyzed this memory leak in detail and found acpi_ns_evaluate() function
only removes Info->return_object in AE_CTRL_RETURN_VALUE case. But, when errors
occur, the status value is not AE_CTRL_RETURN_VALUE, and Info->return_object is
also not null. Therefore, this causes acpi operand memory leak.
This cache leak causes a security threat because an old kernel (<= 4.9) shows
memory locations of kernel functions in stack dump. Some malicious users
could use this information to neutralize kernel ASLR.
I made a patch to fix ACPI operand cache leak.
Signed-off-by: Seunghun Han <kkamagui@gmail.com>
Signed-off-by: Erik Schmauss <erik.schmauss@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
2018-03-15 07:12:56 +08:00
|
|
|
} else if (ACPI_FAILURE(status)) {
|
|
|
|
|
|
|
|
/* If return_object exists, delete it */
|
|
|
|
|
|
|
|
if (info->return_object) {
|
|
|
|
acpi_ut_remove_reference(info->return_object);
|
|
|
|
info->return_object = NULL;
|
|
|
|
}
|
2006-05-27 04:36:00 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
ACPI_DEBUG_PRINT((ACPI_DB_NAMES,
|
|
|
|
"*** Completed evaluation of object %s ***\n",
|
2013-05-30 10:00:01 +08:00
|
|
|
info->relative_pathname));
|
2006-05-27 04:36:00 +08:00
|
|
|
|
2013-10-29 09:30:02 +08:00
|
|
|
cleanup:
|
2018-12-14 04:30:33 +08:00
|
|
|
/* Optional object evaluation log */
|
|
|
|
|
|
|
|
ACPI_DEBUG_PRINT_RAW((ACPI_DB_EVALUATION,
|
|
|
|
"%-26s: %s\n", " Exit evaluation",
|
|
|
|
&info->full_pathname[1]));
|
|
|
|
|
2006-05-27 04:36:00 +08:00
|
|
|
/*
|
|
|
|
* Namespace was unlocked by the handling acpi_ns* function, so we
|
2013-05-30 10:00:01 +08:00
|
|
|
* just free the pathname and return
|
2006-05-27 04:36:00 +08:00
|
|
|
*/
|
2013-05-30 10:00:01 +08:00
|
|
|
ACPI_FREE(info->full_pathname);
|
|
|
|
info->full_pathname = NULL;
|
2005-08-05 12:44:28 +08:00
|
|
|
return_ACPI_STATUS(status);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|