Suspicious kfree at the end of cm_write
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- To: linux-acpi@xxxxxxxxxxxxxxx
- Subject: Suspicious kfree at the end of cm_write
- From: Mark Langsdorf <mlangsdo@xxxxxxxxxx>
- Date: Fri, 23 Apr 2021 09:37:53 -0500
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.8.0
commit 03d1571d added an unconditional kfree() to the end of cm_write()
in drivers/acpi/custom_method.c. I've been reviewing commits after the
unm issue, and I think this code is wrong. If cm_write() is called with
*ppos = 0 and count < table.length, the buf is kzalloc'd and immediately
free'd. On subsequent calls to cm_write(), if cumulative count equals
table.length, then the current contents of buf are passed to
acpi_install_method. In the extremely unlikely case that buf has been
reallocated and overwritten with a different but valid ACPI method, then
some method other than the intended method could be installed. I'm not
sure that this is a security issue but I don't think this code is correct.
It's a trivial patch to fix, but I'm not certain of my analysis. Could
someone who is more familiar with cm_write review commit 03d1571d and
tell me if I'm off base here?
--Mark Langsdorf
[Index of Archives]
[Linux IBM ACPI]
[Linux Power Management]
[Linux Kernel]
[Linux Laptop]
[Kernel Newbies]
[Share Photos]
[Security]
[Netfilter]
[Bugtraq]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Samba]
[Video 4 Linux]
[Device Mapper]
[Linux Resources]
