On Fri, Mar 22, 2024 at 7:23 PM Nikita Kiryushin <kiryushin@xxxxxxxx> wrote: > > ACPICA commit 9061cd9aa131205657c811a52a9f8325a040c6c9 > > Errors in acpi_evaluate_object can lead to incorrect state of buffer. > This can lead to access to data in previously ACPI_FREEd buffer and > secondary ACPI_FREE to the same buffer later. > > Handle errors in acpi_evaluate_object the same way it is done earlier > with acpi_ns_handle_to_pathname. > > Found by Linux Verification Center (linuxtesting.org) with SVACE. > > Link: https://github.com/acpica/acpica/commit/9061cd9a > Fixes: 5fd033288a86 ("ACPICA: debugger: add command to dump all fields of particular subtype") > Signed-off-by: Nikita Kiryushin <kiryushin@xxxxxxxx> > --- > v2: Add ACPICA project git links for corresponding changes > drivers/acpi/acpica/dbnames.c | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > > diff --git a/drivers/acpi/acpica/dbnames.c b/drivers/acpi/acpica/dbnames.c > index b91155ea9c34..c9131259f717 100644 > --- a/drivers/acpi/acpica/dbnames.c > +++ b/drivers/acpi/acpica/dbnames.c > @@ -550,8 +550,12 @@ acpi_db_walk_for_fields(acpi_handle obj_handle, > ACPI_FREE(buffer.pointer); > > buffer.length = ACPI_ALLOCATE_LOCAL_BUFFER; > - acpi_evaluate_object(obj_handle, NULL, NULL, &buffer); > - > + status = acpi_evaluate_object(obj_handle, NULL, NULL, &buffer); > + if (ACPI_FAILURE(status)) { > + acpi_os_printf("Could Not evaluate object %p\n", > + obj_handle); > + return (AE_OK); > + } > /* > * Since this is a field unit, surround the output in braces > */ > -- Applied as 6.10 material, thanks!
