[Bug 1875771] Re: ipmi_locate segfault on Focal (Dell iDRAC6/9)

Wed, 02 Sep 2020 05:42:03 -0700 

Thanks Jeff!

Fail at _ipmi_acpi_get_table
  1031:   *acpi_table = NULL;
At this time we see acpi_table=0x0
So dereference 0x0 and segfault.

Now how far up does this crash have data...

_ipmi_acpi_get_firmware_table does
1485   uint8_t *acpi_table = NULL;
...
1498   if ((_ipmi_acpi_get_table_sysfs (ctx, signature, table_instance,
1499             &acpi_table, &acpi_table_length) != 0))

So if _ipmi_acpi_get_table_sysfs returns != 0 BUT keeps acpi_table unset our 
bug will happen.
The crash no more holds the execution stack of _ipmi_acpi_get_table_sysfs as 
that is completed, but we can check the function if anything obvious is there 
(and different to Bionic).

 _ipmi_acpi_get_firmware_table (signature=0x7f731c71582e "SPMI",
sign_table_data_length=<synthetic pointer>, sign_table_data=<synthetic
pointer>, table_instance=0, ctx=0x55c6e4ab4510)

To reach rv=0 it needs to reach
1233   *acpi_table = acpi_table_buf;                                            
      

The "malloc of" and "read into" of acpi_table_buf have to succeed to not hit 
"cleanup".
But if acpi_table_length would be zero, then malloc can return NULL and read 
returning 0 would be accepted.

acpi_table_length is from
  lseek (sysfs_acpi_fd, 0, SEEK_END)


Theory: /sys/firmware/acpi/tables/SPMI* contains an empty file - that might 
lead to the crash.

Example of a HP system:
$ sudo cat /sys/firmware/acpi/tables/SPMI 
SPMIA�HP    ProLiantHP �

Comparing Focal/Bionic in regard to _ipmi_acpi_get_firmware_table /
_ipmi_acpi_get_table_sysfs doesn't point to anything obvious. I'd assume
the change that makes one work is in a different place (e.g. not calling
into the function at all).


@Jeff
 - what does the system have at /sys/firmware/acpi/tables/SPMI ?
   file list and stat please
   $ ls -laF /sys/firmware/acpi/tables/SPMI*
   $ stat /sys/firmware/acpi/tables/SPMI*
 - if not too much attaching the file(s) here would be awesome

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1875771

Title:
  ipmi_locate segfault on Focal (Dell iDRAC6/9)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipmi/+bug/1875771/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to