RE: [PATCH] ACPICA:dbnames: Fix a error free in acpi_db_walk_for_fields

"Kaneda, Erik" <erik.kaneda@xxxxxxxxx> · Thu, 29 Apr 2021 18:00:36 +0000



> -----Original Message-----
> From: Lv Yunlong <lyl2019@xxxxxxxxxxxxxxxx>
> Sent: Monday, April 26, 2021 6:42 PM
> To: Moore, Robert <robert.moore@xxxxxxxxx>; Kaneda, Erik
> <erik.kaneda@xxxxxxxxx>; Wysocki, Rafael J <rafael.j.wysocki@xxxxxxxxx>;
> lenb@xxxxxxxxxx
> Cc: linux-acpi@xxxxxxxxxxxxxxx; devel@xxxxxxxxxx; linux-
> kernel@xxxxxxxxxxxxxxx; Lv Yunlong <lyl2019@xxxxxxxxxxxxxxxx>
> Subject: [PATCH] ACPICA:dbnames: Fix a error free in
> acpi_db_walk_for_fields
> 
> In acpi_db_walk_for_fields, buffer.pointer is freed in the first
> time via ACPI_FREE() after acpi_os_printf("%s ", (char *)buffer.pointer).
> But later, buffer.pointer is assigned to ret_value, and the freed
> pointer is dereferenced by ret_value, which is use after free.
> 
> In addition, buffer.pointer is freed by ACPI_FREE() again after
> acpi_os_printf("}\n"), which is a double free.
> 
> My patch removes the first ACPI_FREE() to avoid the uaf and double
> free bugs.
> 

I'll take a look

Thanks

> Fixes: 5fd033288a866 ("ACPICA: debugger: add command to dump all fields
> of particular subtype")
> Signed-off-by: Lv Yunlong <lyl2019@xxxxxxxxxxxxxxxx>
> ---
>  drivers/acpi/acpica/dbnames.c | 1 -
>  1 file changed, 1 deletion(-)
> 
> diff --git a/drivers/acpi/acpica/dbnames.c b/drivers/acpi/acpica/dbnames.c
> index 3615e1a6efd8..dabd76df15ec 100644
> --- a/drivers/acpi/acpica/dbnames.c
> +++ b/drivers/acpi/acpica/dbnames.c
> @@ -547,7 +547,6 @@ acpi_db_walk_for_fields(acpi_handle obj_handle,
>  	}
> 
>  	acpi_os_printf("%s ", (char *)buffer.pointer);
> -	ACPI_FREE(buffer.pointer);
> 
>  	buffer.length = ACPI_ALLOCATE_LOCAL_BUFFER;
>  	acpi_evaluate_object(obj_handle, NULL, NULL, &buffer);
> --
> 2.25.1
>