On Mon, Nov 13, 2023 at 2:33 PM Nikita Kiryushin <kiryushin@xxxxxxxx> wrote:
>
> Errors in acpi_evaluate_object can lead to incorrect state of buffer.
> This can lead to access to data in previously ACPI_FREEd buffer and
> secondary ACPI_FREE to the same buffer later.
>
> Handle errors in acpi_evaluate_object the same way it is done earlier
> with acpi_ns_handle_to_pathname.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: 5fd033288a86 ("ACPICA: debugger: add command to dump all fields
> of particular subtype")
> Signed-off-by: Nikita Kiryushin <kiryushin@xxxxxxxx>
> ---
> drivers/acpi/acpica/dbnames.c | 8 ++++++--
This is ACPICA code which comes from a separate project.
The way to change it is to submit a pull request with the desired change
to the upstream ACPICA project on GitHub and add a Link tag pointing
to the upstream PR to the corresponding Linux patch. Then, the Linux
patch can only be applied after the corresponding upstream PR has been
merged.
Thanks!
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/acpi/acpica/dbnames.c b/drivers/acpi/acpica/dbnames.c
> index b91155ea9c34..c9131259f717 100644
> --- a/drivers/acpi/acpica/dbnames.c
> +++ b/drivers/acpi/acpica/dbnames.c
> @@ -550,8 +550,12 @@ acpi_db_walk_for_fields(acpi_handle obj_handle,
> ACPI_FREE(buffer.pointer);
> buffer.length = ACPI_ALLOCATE_LOCAL_BUFFER;
> - acpi_evaluate_object(obj_handle, NULL, NULL, &buffer);
> -
> + status = acpi_evaluate_object(obj_handle, NULL, NULL, &buffer);
> + if (ACPI_FAILURE(status)) {
> + acpi_os_printf("Could Not evaluate object %p\n",
> + obj_handle);
> + return (AE_OK);
> + }
> /*
> * Since this is a field unit, surround the output in braces
> */
> --
> 2.34.1
>
>
