In acpi_db_walk_for_fields, buffer.pointer is freed in the first
time via ACPI_FREE() after acpi_os_printf("%s ", (char *)buffer.pointer).
But later, buffer.pointer is assigned to ret_value, and the freed
pointer is dereferenced by ret_value, which is use after free.
In addition, buffer.pointer is freed by ACPI_FREE() again after
acpi_os_printf("}\n"), which is a double free.
My patch removes the first ACPI_FREE() to avoid the uaf and double
free bugs.
Fixes: 5fd033288a866 ("ACPICA: debugger: add command to dump all fields of particular subtype")
Signed-off-by: Lv Yunlong <lyl2019@xxxxxxxxxxxxxxxx>
---
drivers/acpi/acpica/dbnames.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/acpi/acpica/dbnames.c b/drivers/acpi/acpica/dbnames.c
index 3615e1a6efd8..dabd76df15ec 100644
--- a/drivers/acpi/acpica/dbnames.c
+++ b/drivers/acpi/acpica/dbnames.c
@@ -547,7 +547,6 @@ acpi_db_walk_for_fields(acpi_handle obj_handle,
}
acpi_os_printf("%s ", (char *)buffer.pointer);
- ACPI_FREE(buffer.pointer);
buffer.length = ACPI_ALLOCATE_LOCAL_BUFFER;
acpi_evaluate_object(obj_handle, NULL, NULL, &buffer);
--
2.25.1
