kern/58870: ipmi(4): misaligned buffer in get_sdr_partial

[campbell+netbsd%mumble.net@localhost]

>Number:         58870
>Category:       kern
>Synopsis:       ipmi(4): misaligned buffer in get_sdr_partial
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Dec 03 17:40:00 +0000 2024
>Originator:     Taylor R Campbell
>Release:        current, 10, 9, ...
>Organization:
TheI pmiBSDF oundation
>Environment:
>Description:
   1105 static int
   1106 get_sdr_partial(struct ipmi_softc *sc, uint16_t recordId, uint16_t reserveId,
   1107     uint8_t offset, uint8_t length, void *buffer, uint16_t *nxtRecordId)
   1108 {
   1109 	uint8_t	cmd[256 + 8];
   1110 	int		len;
   1111 
   1112 	((uint16_t *) cmd)[0] = reserveId;
   1113 	((uint16_t *) cmd)[1] = recordId;
...
   1129 	if (nxtRecordId)
   1130 		*nxtRecordId = *(uint16_t *) cmd;

https://nxr.netbsd.org/xref/src/sys/dev/ipmi.c?r=1.10#1105

The buffer cmd is allocated with inadequate alignment for access as uint16_t, so this is undefined behaviour.
>How-To-Repeat:
code inspection, or run this on a strict-alignment architecture (if any exist with ipmi -- doesn't seem to be included in any non-x86 kernels), or run this on a compiler that assumes undefined behaviour like unaligned access is impossible and therefore infers it is safe to compile this code into nasal demons
>Fix:
Use a union/struct/&c.