lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAJZ5v0gH=0m_RCDa1++GUt4Qa28MdFPsNYc46ZMB7OnVJL=F4g@mail.gmail.com>
Date: Sun, 22 Jun 2025 12:53:08 +0200
From: "Rafael J. Wysocki" <rafael@...nel.org>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: "Rafael J. Wysocki" <rafael@...nel.org>, ACPI Devel Maling List <linux-acpi@...r.kernel.org>, 
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>, Saket Dumbre <saket.dumbre@...el.com>
Subject: Re: [GIT PULL] ACPI fix for v6.16-rc3

On Sat, Jun 21, 2025 at 5:35 PM Linus Torvalds
<torvalds@...ux-foundation.org> wrote:
>
> On Sat, 21 Jun 2025 at 04:31, Rafael J. Wysocki <rafael@...nel.org> wrote:
> >
> > This fixes a crash in ACPICA while attempting to evaluate a control
> > method that expects more arguments than are being passed to it, which
> > was exposed by a defective firmware update from a prominent OEM on
> > multiple systems.
>
> Christ. Reading the ACPI issues page makes me go "D'oh".
>
> Does anybody know what the heck Windows does in this situation? Does
> it just happen to work because it uses random arguments and happily
> dereferences bogus things without realizing, or does it do the "zero
> out missing arguments" thing?

Saket said: "I didn't run into this same bug on Windows though and the
interpreter just aborted out with a different error message saying
that this method already exists elsewhere. Maybe Windows thinks that
when RUCC is called with 2 args instead of 3, it is perhaps referring
to a different method with the same name, but warns that this name
already exists (AE_ALREADY_EXISTS)."

> Because clearly that firmware bug must have passed entirely unnoticed
> by people testing that thing on Windows...

Well, given the above, I'm wondering how it has been tested on
Windows.  It looks like somebody set a really low bar for the
verification of it.

Cheers, Rafael

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ