Our ACPI namerefs are pointers to the byte structures for ACPI names.

These are not in a printable format, hence printing them as string is
wrong.  Additionally, aml_searchrel()/aml_searchname() expect the name
to be passed in a printable format as well.  Passing a nameref can lead
to an out-of-bounds read, and the comparison can fail.  Hence make sure
that namerefs are passed to aml_getname() first, which returns printable
strings.  Note that aml_getname() uses a static buffer, so there are a
few restrictions how the string can be used.

ok kettenis@

6 files changed, 20 insertions, 15 deletions

diff --git a/sys/dev/acpi/acpiprt.c b/sys/dev/acpi/acpiprt.c
index ea28993d051..bd62006301a 100644
--- a/sys/dev/acpi/acpiprt.c
+++ b/sys/dev/acpi/acpiprt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: acpiprt.c,v 1.50 2020/12/17 17:57:19 kettenis Exp $ */
+/* $OpenBSD: acpiprt.c,v 1.51 2021/03/10 21:49:55 patrick Exp $ */
 /*
  * Copyright (c) 2006 Mark Kettenis <kettenis@openbsd.org>
  *
@@ -273,7 +273,8 @@ acpiprt_prt_add(struct acpiprt_softc *sc, struct aml_value *v)
 
 	pp = v->v_package[2];
 	if (pp->type == AML_OBJTYPE_NAMEREF) {
-		node = aml_searchrel(sc->sc_devnode, pp->v_nameref);
+		node = aml_searchrel(sc->sc_devnode,
+		    aml_getname(pp->v_nameref));
 		if (node == NULL) {
 			printf("Invalid device\n");
 			return;
diff --git a/sys/dev/acpi/acpipwrres.c b/sys/dev/acpi/acpipwrres.c
index 4de7da1e871..6ffe53870c8 100644
--- a/sys/dev/acpi/acpipwrres.c
+++ b/sys/dev/acpi/acpipwrres.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: acpipwrres.c,v 1.9 2020/12/17 17:57:19 kettenis Exp $ */
+/* $OpenBSD: acpipwrres.c,v 1.10 2021/03/10 21:49:55 patrick Exp $ */
 
 /*
  * Copyright (c) 2013 Martin Pieuchot <mpi@openbsd.org>
@@ -294,7 +294,8 @@ acpipwrres_foundcons(struct aml_node *node, void *arg)
 		if (ref->type == AML_OBJTYPE_NAMEREF) {
 			struct aml_node	*pnode;
 
-			pnode = aml_searchrel(&aml_root, ref->v_nameref);
+			pnode = aml_searchrel(&aml_root,
+			    aml_getname(ref->v_nameref));
 			if (pnode == NULL) {
 				DPRINTF(("%s: device %s not found\n",
 				    DEVNAME(sc), ref->v_string));
diff --git a/sys/dev/acpi/acpitz.c b/sys/dev/acpi/acpitz.c
index f364ac89006..af27555c9ad 100644
--- a/sys/dev/acpi/acpitz.c
+++ b/sys/dev/acpi/acpitz.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: acpitz.c,v 1.55 2020/12/17 17:57:19 kettenis Exp $ */
+/* $OpenBSD: acpitz.c,v 1.56 2021/03/10 21:49:55 patrick Exp $ */
 /*
  * Copyright (c) 2006 Can Erkin Acar <canacar@openbsd.org>
  * Copyright (c) 2005 Marco Peereboom <marco@openbsd.org>
@@ -306,7 +306,7 @@ acpitz_setfan(struct acpitz_softc *sc, int i, char *method)
 			ref = res1.v_package[y];
 			if (ref->type == AML_OBJTYPE_NAMEREF) {
 				node = aml_searchrel(sc->sc_devnode,
-				    ref->v_nameref);
+				    aml_getname(ref->v_nameref));
 				if (node == NULL) {
 					printf("%s: %s[%d.%d] _PR0"
 					    " not a valid device\n",
diff --git a/sys/dev/acpi/atk0110.c b/sys/dev/acpi/atk0110.c
index 503d1e4a813..e9992b71449 100644
--- a/sys/dev/acpi/atk0110.c
+++ b/sys/dev/acpi/atk0110.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: atk0110.c,v 1.16 2020/12/17 17:57:19 kettenis Exp $	*/
+/*	$OpenBSD: atk0110.c,v 1.17 2021/03/10 21:49:55 patrick Exp $	*/
 
 /*
  * Copyright (c) 2009 Constantine A. Murenin <cnst+openbsd@bugmail.mojo.ru>
@@ -104,7 +104,7 @@ void	aibs_refresh(void *);
 
 void	aibs_attach_sif(struct aibs_softc *, enum sensor_type);
 void	aibs_attach_new(struct aibs_softc *);
-void	aibs_add_sensor(struct aibs_softc *, char *);
+void	aibs_add_sensor(struct aibs_softc *, const char *);
 void	aibs_refresh_r(struct aibs_softc *, struct aibs_sensor *);
 int	aibs_getvalue(struct aibs_softc *, int64_t, int64_t *);
 int	aibs_getpack(struct aibs_softc *, struct aml_node *, int64_t,
@@ -235,7 +235,7 @@ aibs_attach_sif(struct aibs_softc *sc, enum sensor_type st)
 			    DEVNAME(sc), name, i, v[0]->type);
 			continue;
 		}
-		aibs_add_sensor(sc, v[0]->v_nameref);
+		aibs_add_sensor(sc, aml_getname(v[0]->v_nameref));
 	}
 
 	aml_freevalue(&res);
@@ -266,7 +266,7 @@ aibs_attach_new(struct aibs_softc *sc)
 }
 
 void
-aibs_add_sensor(struct aibs_softc *sc, char *name)
+aibs_add_sensor(struct aibs_softc *sc, const char *name)
 {
 	struct aml_value	 ri;
 	struct aibs_sensor	*as;
diff --git a/sys/dev/acpi/dsdt.c b/sys/dev/acpi/dsdt.c
index 0cbeeb43d08..ac0e4323653 100644
--- a/sys/dev/acpi/dsdt.c
+++ b/sys/dev/acpi/dsdt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsdt.c,v 1.258 2021/03/07 22:53:46 yasuoka Exp $ */
+/* $OpenBSD: dsdt.c,v 1.259 2021/03/10 21:49:55 patrick Exp $ */
 /*
  * Copyright (c) 2005 Jordan Hargrave <jordan@openbsd.org>
  *
@@ -1689,7 +1689,7 @@ int aml_fixup_node(struct aml_node *node, void *arg)
 	if (arg == NULL)
 		aml_fixup_node(node, node->value);
 	else if (val->type == AML_OBJTYPE_NAMEREF) {
-		node = aml_searchname(node, val->v_nameref);
+		node = aml_searchname(node, aml_getname(val->v_nameref));
 		if (node && node->value) {
 			_aml_setvalue(val, AML_OBJTYPE_OBJREF, AMLOP_NAMECHAR,
 			    node->value);
@@ -3005,9 +3005,11 @@ aml_store(struct aml_scope *scope, struct aml_value *lhs , int64_t ival,
 		aml_copyvalue(lhs, rhs);
 		break;
 	case AML_OBJTYPE_NAMEREF:
-		node = __aml_searchname(scope->node, lhs->v_nameref, 1);
+		node = __aml_searchname(scope->node,
+		    aml_getname(lhs->v_nameref), 1);
 		if (node == NULL) {
-			aml_die("Could not create node %s", lhs->v_nameref);
+			aml_die("Could not create node %s",
+			    aml_getname(lhs->v_nameref));
 		}
 		aml_copyvalue(node->value, rhs);
 		break;
diff --git a/sys/dev/acpi/dsdt.h b/sys/dev/acpi/dsdt.h
index b07312da3e3..c2f91d22b63 100644
--- a/sys/dev/acpi/dsdt.h
+++ b/sys/dev/acpi/dsdt.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsdt.h,v 1.78 2020/09/16 11:52:17 jsg Exp $ */
+/* $OpenBSD: dsdt.h,v 1.79 2021/03/10 21:49:55 patrick Exp $ */
 /*
  * Copyright (c) 2005 Marco Peereboom <marco@openbsd.org>
  *
@@ -44,6 +44,7 @@ const char		*aml_mnem(int, uint8_t *);
 int64_t			aml_val2int(struct aml_value *);
 struct aml_node		*aml_searchname(struct aml_node *, const void *);
 struct aml_node		*aml_searchrel(struct aml_node *, const void *);
+const char		*aml_getname(const char *);
 
 struct aml_value	*aml_getstack(struct aml_scope *, int);
 struct aml_value	*aml_allocvalue(int, int64_t, const void *);