From: "Rafael J. Wysocki" <rjw@rjwysocki.net>
To: Linux ACPI <linux-acpi@vger.kernel.org>
Cc: LKML <linux-kernel@vger.kernel.org>, Bob Moore <robert.moore@intel.com>
Subject: [PATCH 09/19] ACPICA: Executer: Fix the REFCLASS_REFOF case in acpi_ex_opcode_1A_0T_1R()
Date: Wed, 22 Dec 2021 17:31:05 +0100 [thread overview]
Message-ID: <3081602.5fSG56mABF@kreacher> (raw)
In-Reply-To: <11889746.O9o76ZdvQC@kreacher>
From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
ACPICA commit d984f12041392fa4156b52e2f7e5c5e7bc38ad9e
If Operand[0] is a reference of the ACPI_REFCLASS_REFOF class,
acpi_ex_opcode_1A_0T_1R () calls acpi_ns_get_attached_object () to
obtain return_desc which may require additional resolution with
the help of acpi_ex_read_data_from_field (). If the latter fails,
the reference counter of the original return_desc is decremented
which is incorrect, because acpi_ns_get_attached_object () does not
increment the reference counter of the object returned by it.
This issue may lead to premature deletion of the attached object
while it is still attached and a use-after-free and crash in the
host OS. For example, this may happen when on evaluation of ref_of()
a local region field where there is no registered handler for the
given Operation Region.
Fix it by making acpi_ex_opcode_1A_0T_1R () return Status right away
after a acpi_ex_read_data_from_field () failure.
Link: https://github.com/acpica/acpica/commit/d984f120
Link: https://github.com/acpica/acpica/pull/685
Reported-by: Lenny Szubowicz <lszubowi@redhat.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Bob Moore <robert.moore@intel.com>
---
drivers/acpi/acpica/exoparg1.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/acpi/acpica/exoparg1.c b/drivers/acpi/acpica/exoparg1.c
index b639e930d642..44b7c350ed5c 100644
--- a/drivers/acpi/acpica/exoparg1.c
+++ b/drivers/acpi/acpica/exoparg1.c
@@ -1007,7 +1007,8 @@ acpi_status acpi_ex_opcode_1A_0T_1R(struct acpi_walk_state *walk_state)
(walk_state, return_desc,
&temp_desc);
if (ACPI_FAILURE(status)) {
- goto cleanup;
+ return_ACPI_STATUS
+ (status);
}
return_desc = temp_desc;
--
2.26.2
next prev parent reply other threads:[~2021-12-22 16:43 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-22 15:56 [PATCH 00/19] ACPICA: ACPICA 20211217 Rafael J. Wysocki
2021-12-22 15:57 ` [PATCH 01/19] ACPICA: actypes.h: Expand the ACPI_ACCESS_ definitions Rafael J. Wysocki
2021-12-22 16:21 ` [PATCH 02/19] ACPICA: Use original data_table_region pointer for accesses Rafael J. Wysocki
2021-12-22 16:22 ` [PATCH 03/19] ACPICA: Use original pointer for virtual origin tables Rafael J. Wysocki
2021-12-22 16:23 ` [PATCH 04/19] ACPICA: Macros: Remove ACPI_PHYSADDR_TO_PTR Rafael J. Wysocki
2021-12-22 16:24 ` [PATCH 05/19] ACPICA: Avoid subobject buffer overflow when validating RSDP signature Rafael J. Wysocki
2021-12-22 16:25 ` [PATCH 06/19] ACPICA: iASL/Disassembler: Additional support for NHLT table Rafael J. Wysocki
2021-12-22 16:28 ` [PATCH 07/19] ACPICA: Fix AEST Processor generic resource substructure data field byte length Rafael J. Wysocki
2021-12-22 16:29 ` [PATCH 08/19] ACPICA: Utilities: Avoid deleting the same object twice in a row Rafael J. Wysocki
2021-12-22 16:31 ` Rafael J. Wysocki [this message]
2021-12-22 16:31 ` [PATCH 10/19] ACPICA: Fix wrong interpretation of PCC address Rafael J. Wysocki
2021-12-22 16:32 ` [PATCH 11/19] ACPICA: Add support for PCC Opregion special context data Rafael J. Wysocki
2021-12-22 16:33 ` [PATCH 12/19] ACPICA: Hardware: Do not flush CPU cache when entering S4 and S5 Rafael J. Wysocki
2021-12-22 16:35 ` [PATCH 14/19] ACPICA: Change a return_ACPI_STATUS (AE_BAD_PARAMETER) Rafael J. Wysocki
2021-12-22 16:35 ` [PATCH 15/19] ACPICA: Fixed a couple of warnings under MSVC Rafael J. Wysocki
2021-12-22 16:36 ` [PATCH 16/19] ACPICA: iASL: Add TDEL table to both compiler/disassembler Rafael J. Wysocki
2021-12-22 16:37 ` [PATCH 17/19] ACPICA: iASL: Add suppport for AGDI table Rafael J. Wysocki
2021-12-22 16:37 ` [PATCH 18/19] ACPICA: iASL/NHLT table: "Specific Data" field support Rafael J. Wysocki
2021-12-22 16:38 ` [PATCH 19/19] ACPICA: Update version to 20211217 Rafael J. Wysocki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3081602.5fSG56mABF@kreacher \
--to=rjw@rjwysocki.net \
--cc=linux-acpi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=robert.moore@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox