RE: [PATCH] ACPICA:dbnames: Fix a error free in acpi_db_walk_for_fields

"Kaneda, Erik" <erik.kaneda@xxxxxxxxx> · Wed, 5 May 2021 23:11:36 +0000



> -----Original Message-----
> From: Kaneda, Erik <erik.kaneda@xxxxxxxxx>
> Sent: Thursday, April 29, 2021 11:01 AM
> To: Lv Yunlong <lyl2019@xxxxxxxxxxxxxxxx>; Moore, Robert
> <robert.moore@xxxxxxxxx>; Wysocki, Rafael J <rafael.j.wysocki@xxxxxxxxx>;
> lenb@xxxxxxxxxx
> Cc: linux-acpi@xxxxxxxxxxxxxxx; devel@xxxxxxxxxx; linux-
> kernel@xxxxxxxxxxxxxxx
> Subject: RE: [PATCH] ACPICA:dbnames: Fix a error free in
> acpi_db_walk_for_fields
> 
> 
> 
> > -----Original Message-----
> > From: Lv Yunlong <lyl2019@xxxxxxxxxxxxxxxx>
> > Sent: Monday, April 26, 2021 6:42 PM
> > To: Moore, Robert <robert.moore@xxxxxxxxx>; Kaneda, Erik
> > <erik.kaneda@xxxxxxxxx>; Wysocki, Rafael J <rafael.j.wysocki@xxxxxxxxx>;
> > lenb@xxxxxxxxxx
> > Cc: linux-acpi@xxxxxxxxxxxxxxx; devel@xxxxxxxxxx; linux-
> > kernel@xxxxxxxxxxxxxxx; Lv Yunlong <lyl2019@xxxxxxxxxxxxxxxx>
> > Subject: [PATCH] ACPICA:dbnames: Fix a error free in
> > acpi_db_walk_for_fields
> >
> > In acpi_db_walk_for_fields, buffer.pointer is freed in the first
> > time via ACPI_FREE() after acpi_os_printf("%s ", (char *)buffer.pointer).
> > But later, buffer.pointer is assigned to ret_value, and the freed
> > pointer is dereferenced by ret_value, which is use after free.
> >
> > In addition, buffer.pointer is freed by ACPI_FREE() again after
> > acpi_os_printf("}\n"), which is a double free.
> >
> > My patch removes the first ACPI_FREE() to avoid the uaf and double
> > free bugs.
> >
> 
> I'll take a look
> 
> Thanks
> 
> > Fixes: 5fd033288a866 ("ACPICA: debugger: add command to dump all fields
> > of particular subtype")
> > Signed-off-by: Lv Yunlong <lyl2019@xxxxxxxxxxxxxxxx>
> > ---
> >  drivers/acpi/acpica/dbnames.c | 1 -
> >  1 file changed, 1 deletion(-)
> >
> > diff --git a/drivers/acpi/acpica/dbnames.c b/drivers/acpi/acpica/dbnames.c
> > index 3615e1a6efd8..dabd76df15ec 100644
> > --- a/drivers/acpi/acpica/dbnames.c
> > +++ b/drivers/acpi/acpica/dbnames.c
> > @@ -547,7 +547,6 @@ acpi_db_walk_for_fields(acpi_handle obj_handle,
> >  	}
> >
> >  	acpi_os_printf("%s ", (char *)buffer.pointer);
> > -	ACPI_FREE(buffer.pointer);

This is freeing the pointer allocated by acpi_ns_handle_to_pathname

> >
> >  	buffer.length = ACPI_ALLOCATE_LOCAL_BUFFER;
> >  	acpi_evaluate_object(obj_handle, NULL, NULL, &buffer);

This call to acpi_evaluate_object will allocate an object in Buffer.Pointer object so the dereference of buffer->pointer is not a use after free

> > --
> > 2.25.1
> >