Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
IronPort-SDR: V2B8afOcZs6Ny/i1kYZpx7jLQILYdIV19vu90LpkpoS065kcohM4IXRCI38scTh/2TVDMaaYPA
 zayCazxsvabw==
IronPort-SDR: zea8WnRgrA/5ZEWaPUlc9WggkQchG0DwpGl6urKqjQgOSbsDC0BwO6RJ453YFQ35I4oA8PHePv
 d1T8HhPxDUKA==
From:   "Kaneda, Erik" <erik.kaneda@intel.com>
To:     "Kaneda, Erik" <erik.kaneda@intel.com>,
        Lv Yunlong <lyl2019@mail.ustc.edu.cn>,
        "Moore, Robert" <robert.moore@intel.com>,
        "Wysocki, Rafael J" <rafael.j.wysocki@intel.com>,
        "lenb@kernel.org" <lenb@kernel.org>
CC:     "linux-acpi@vger.kernel.org" <linux-acpi@vger.kernel.org>,
        "devel@acpica.org" <devel@acpica.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: RE: [PATCH] ACPICA:dbnames: Fix a error free in
 acpi_db_walk_for_fields
Thread-Topic: [PATCH] ACPICA:dbnames: Fix a error free in
 acpi_db_walk_for_fields
Thread-Index: AQHXOwaEMMs9kJYcc06jsm/pDRsLMarLxwAwgAnGeQA=
Date:   Wed, 5 May 2021 23:11:36 +0000
Message-ID: <MWHPR11MB15993557BD12B767517A09B4F0599@MWHPR11MB1599.namprd11.prod.outlook.com>
References: <20210427014134.3568-1-lyl2019@mail.ustc.edu.cn>
 <MWHPR11MB15992FA009C23A74FCBFD204F05F9@MWHPR11MB1599.namprd11.prod.outlook.com>
In-Reply-To: <MWHPR11MB15992FA009C23A74FCBFD204F05F9@MWHPR11MB1599.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
dlp-version: 11.5.1.3
dlp-product: dlpe-windows
dlp-reaction: no-action
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: c715d7a9-f238-4ff2-4969-08d9101b21b6
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 May 2021 23:11:36.3442
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: IBGAINrw/GF9ArZwFc3ypzEJEz57eyP4tWdgmyttVk9RFcNflpYf2ozj9JbRvYn2jgvG+j60nvIzA18FCB2Pdg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR11MB1646
X-OriginatorOrg: intel.com
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


> -----Original Message-----
> From: Kaneda, Erik <erik.kaneda@intel.com>
> Sent: Thursday, April 29, 2021 11:01 AM
> To: Lv Yunlong <lyl2019@mail.ustc.edu.cn>; Moore, Robert
> <robert.moore@intel.com>; Wysocki, Rafael J <rafael.j.wysocki@intel.com>;
> lenb@kernel.org
> Cc: linux-acpi@vger.kernel.org; devel@acpica.org; linux-
> kernel@vger.kernel.org
> Subject: RE: [PATCH] ACPICA:dbnames: Fix a error free in
> acpi_db_walk_for_fields
>=20
>=20
>=20
> > -----Original Message-----
> > From: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
> > Sent: Monday, April 26, 2021 6:42 PM
> > To: Moore, Robert <robert.moore@intel.com>; Kaneda, Erik
> > <erik.kaneda@intel.com>; Wysocki, Rafael J <rafael.j.wysocki@intel.com>=
;
> > lenb@kernel.org
> > Cc: linux-acpi@vger.kernel.org; devel@acpica.org; linux-
> > kernel@vger.kernel.org; Lv Yunlong <lyl2019@mail.ustc.edu.cn>
> > Subject: [PATCH] ACPICA:dbnames: Fix a error free in
> > acpi_db_walk_for_fields
> >
> > In acpi_db_walk_for_fields, buffer.pointer is freed in the first
> > time via ACPI_FREE() after acpi_os_printf("%s ", (char *)buffer.pointer=
).
> > But later, buffer.pointer is assigned to ret_value, and the freed
> > pointer is dereferenced by ret_value, which is use after free.
> >
> > In addition, buffer.pointer is freed by ACPI_FREE() again after
> > acpi_os_printf("}\n"), which is a double free.
> >
> > My patch removes the first ACPI_FREE() to avoid the uaf and double
> > free bugs.
> >
>=20
> I'll take a look
>=20
> Thanks
>=20
> > Fixes: 5fd033288a866 ("ACPICA: debugger: add command to dump all fields
> > of particular subtype")
> > Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
> > ---
> >  drivers/acpi/acpica/dbnames.c | 1 -
> >  1 file changed, 1 deletion(-)
> >
> > diff --git a/drivers/acpi/acpica/dbnames.c b/drivers/acpi/acpica/dbname=
s.c
> > index 3615e1a6efd8..dabd76df15ec 100644
> > --- a/drivers/acpi/acpica/dbnames.c
> > +++ b/drivers/acpi/acpica/dbnames.c
> > @@ -547,7 +547,6 @@ acpi_db_walk_for_fields(acpi_handle obj_handle,
> >  	}
> >
> >  	acpi_os_printf("%s ", (char *)buffer.pointer);
> > -	ACPI_FREE(buffer.pointer);

This is freeing the pointer allocated by acpi_ns_handle_to_pathname

> >
> >  	buffer.length =3D ACPI_ALLOCATE_LOCAL_BUFFER;
> >  	acpi_evaluate_object(obj_handle, NULL, NULL, &buffer);

This call to acpi_evaluate_object will allocate an object in Buffer.Pointer=
 object so the dereference of buffer->pointer is not a use after free

> > --
> > 2.25.1
> >