Out-of-bounds array index in acpi_ds_create_operand()

From: Eric Biggers
Date: Sun Jan 24 2016 - 20:33:18 EST


Hi,

When booting Linux 4.5-rc1 with UBSAN enabled, I see the following report of
undefined behavior:

[ 0.675383] ================================================================================
[ 0.675387] UBSAN: Undefined behaviour in drivers/acpi/acpica/dsutils.c:641:16
[ 0.675390] index -1 is out of range for type 'acpi_operand_object *[9]'
[ 0.675393] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.5.0-rc1 #126
[ 0.675394] Hardware name: Dell Inc. Inspiron 15-7568/0M5YMV, BIOS 01.00.00 08/07/2015
[ 0.675395] ffffffffffffffff 0000000072577c57 ffff88026896b900 ffffffff8159dc2b
[ 0.675398] ffff88026896b930 0000000072577c57 ffff88026896b928 ffff88026896b918
[ 0.675400] ffffffff816034ed ffffffff8275e260 ffff88026896b970 ffffffff81603c65
[ 0.675402] Call Trace:
[ 0.675406] [<ffffffff8159dc2b>] dump_stack+0x57/0x8c
[ 0.675409] [<ffffffff816034ed>] ubsan_epilogue+0xd/0x40
[ 0.675411] [<ffffffff81603c65>] __ubsan_handle_out_of_bounds+0x75/0xa0
[ 0.675414] [<ffffffff816a0cf7>] acpi_ds_create_operand+0x253/0x307
[ 0.675416] [<ffffffff816a0ee2>] acpi_ds_create_operands+0x137/0x19c
[ 0.675419] [<ffffffff816c3b74>] ? acpi_ut_update_object_reference+0x13f/0x1d5
[ 0.675420] [<ffffffff8169d264>] acpi_ds_exec_end_control_op+0x174/0x31b
[ 0.675422] [<ffffffff816a1787>] acpi_ds_exec_end_op+0x2a3/0x56a
[ 0.675425] [<ffffffff816baa27>] acpi_ps_parse_loop+0x731/0x797
[ 0.675427] [<ffffffff816bbae3>] acpi_ps_parse_aml+0xa7/0x2d2
[ 0.675430] [<ffffffff816bc6b8>] acpi_ps_execute_method+0x1e3/0x21d
[ 0.675431] [<ffffffff816b4631>] acpi_ns_evaluate+0x228/0x2b8
[ 0.675433] [<ffffffff816c403e>] acpi_ut_evaluate_object+0x6b/0x1b1
[ 0.675435] [<ffffffff816c603e>] ? acpi_ut_delete_object_desc+0x58/0x5b
[ 0.675448] [<ffffffff81691214>] ? param_set_event_clearing+0x95/0x95
[ 0.675450] [<ffffffff816beaf7>] acpi_rs_get_method_data+0x29/0x5f
[ 0.675452] [<ffffffff816bf0ac>] acpi_walk_resources+0x79/0xce
[ 0.675454] [<ffffffff81690d9a>] ec_parse_device+0x64/0xd2
[ 0.675456] [<ffffffff816b8abf>] acpi_ns_get_device_callback+0x180/0x1a3
[ 0.675459] [<ffffffff816b82ad>] acpi_ns_walk_namespace+0x11a/0x1d6
[ 0.675461] [<ffffffff816b893f>] ? acpi_evaluate_object_typed+0xf3/0xf3
[ 0.675464] [<ffffffff82c53490>] ? acpi_sleep_proc_init+0x28/0x28
[ 0.675466] [<ffffffff816b8688>] acpi_get_devices+0x65/0x8f
[ 0.675467] [<ffffffff81690d36>] ? acpi_ec_event_processor+0xbd/0xbd
[ 0.675470] [<ffffffff82c53fbc>] acpi_ec_ecdt_probe+0x157/0x269
[ 0.675471] [<ffffffff82c5352a>] acpi_init+0x9a/0x2d0
[ 0.675474] [<ffffffff815b9ebe>] ? kasprintf+0x4e/0x70
[ 0.675476] [<ffffffff810003f8>] do_one_initcall+0xc8/0x270
[ 0.675478] [<ffffffff82c17abe>] ? initcall_blacklist+0x12e/0x12e
[ 0.675481] [<ffffffff82c1872b>] kernel_init_freeable+0x248/0x2de
[ 0.675483] [<ffffffff81c4fa40>] ? rest_init+0x80/0x80
[ 0.675485] [<ffffffff81c4fa49>] kernel_init+0x9/0xe0
[ 0.675487] [<ffffffff81c5841f>] ret_from_fork+0x3f/0x70
[ 0.675489] [<ffffffff81c4fa40>] ? rest_init+0x80/0x80
[ 0.675490] ================================================================================

The offending statement is the following, where num_operands was apparently 0,
resulting in an index of -1 into the 'operands' array:

acpi_db_display_argument_object(walk_state->
operands[walk_state->
num_operands -
1],
walk_state);