Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp755646pxb; Fri, 28 Jan 2022 09:16:49 -0800 (PST) X-Google-Smtp-Source: ABdhPJw0AvDdulckDH0BBSi2O2pz0nNzrkUtiIq9PuFSxmhK1x6EVLO+chVixYB3GzKu1+cdCILA X-Received: by 2002:aa7:8a14:: with SMTP id m20mr9238648pfa.63.1643390209502; Fri, 28 Jan 2022 09:16:49 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643390209; cv=none; d=google.com; s=arc-20160816; b=SpbDkFmKPZZ0Za/9Sfeb26DT8ttvjSfSWlt5d7nUtZzc4fyj4JM6UhBK2YHKvmypGX sqZQiAo9uq5DB/hdHWJwvDkOAIx3KE8ihX9ZM9MiTJgIHUACLdgy5tC9B7g5atPTR2Gn +5ThCtTpf2bRQDU2L/njhYjNuc2Lb0VcDm9WgOPEz2kvRRtb+S+Kqll3USN++afH2xnP EQUSifzOYo3FNOOdwEe7JnrfJwrphpGrF+7337rxV73H+SCLwA3M19Ej/9R+seTzXvu9 AQ1wPN9XS3Qz+riFi555w81xnCzP744idfVnAAPowrS/0x7om8Kt/uoBl95Yfc916RSR 1gvA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version; bh=JU0YS/R/EoprgrYZtkZ8RlkD/FefqeQsRVRgpn1yuvU=; b=Rt+bdY3/JEmaj1VO8REbo2OKAiYbcd8BTP2MF+6Z1cJCvO87vihhOtIPhT68maqKOV R/laQyBhxVlr8lUTjjsDVJ0qX/8CUdzHeKVkhNrvnC3nIEWw75lAhLnO5ETzgJ8TUnN1 QYZBIMPLByLoQ63FKmWT/5PrJjM/DT4Pb8ex7qxFdADwdb7jtgUJ3ZOD2NBzpwsC1kxD q9NffXTTBxDccjxhP/rFiI1Mhi7433MKYEd0VAMneJA9H/dNvuMx+7M4bj4a3AYLRA7P AfZ4nrUKEhuD3Mhl378oxxuap2QY7UY3WFvnXBgw8YNcTt1imUrb5Ret4h+fGiHLfPmR F83Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w15si2789434pjb.175.2022.01.28.09.16.36; Fri, 28 Jan 2022 09:16:49 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343512AbiA0T6w (ORCPT + 99 others); Thu, 27 Jan 2022 14:58:52 -0500 Received: from mail-yb1-f175.google.com ([209.85.219.175]:34590 "EHLO mail-yb1-f175.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343516AbiA0T6v (ORCPT ); Thu, 27 Jan 2022 14:58:51 -0500 Received: by mail-yb1-f175.google.com with SMTP id v186so12112855ybg.1; Thu, 27 Jan 2022 11:58:50 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=JU0YS/R/EoprgrYZtkZ8RlkD/FefqeQsRVRgpn1yuvU=; b=i7ftKkI84cpQK+r4ETJXUMD8QCkIy++IBrIaaBghlZ/ZazIF2r7zXqjDBI/5+SLtFN bJ395QV+AGyJ/4Fr2CzL62h+qZUz4INFD/ZvydI4UA3X1KXxO4wB0mJTiL4QTm/tcsAk VmLEcTFxplXccMN2ym9b1YnBRhCvsrtGSCnxS0f9D2byyDL/Tn57QKU8/EM27FTXgb5A NIR8xhEEPcDc/jSSbXnfUiUZUkbsgrlQ35ngCnYEMGUaFc6ygw0mh+LUrlu920oEDRdr cS4Eh2VDyxjXpL6TKtAIgSv7T2Sd8k9q+1eP8fDVCRT/2eB7rhKlv8nFWaIfPDt3wZTg yyjQ== X-Gm-Message-State: AOAM531S0LwZPcKeIDM0AWdz92ZLzxkr3zs7++F4U15rPOBsWkcjvOPK Om+P3gBeFVM0bgQwdSdLbqaTD7S7HXC3QPqTK9o= X-Received: by 2002:a25:2ac3:: with SMTP id q186mr7895749ybq.272.1643313530606; Thu, 27 Jan 2022 11:58:50 -0800 (PST) MIME-Version: 1.0 References: <20220124164014.51658-1-zhou1615@umn.edu> In-Reply-To: <20220124164014.51658-1-zhou1615@umn.edu> From: "Rafael J. Wysocki" Date: Thu, 27 Jan 2022 20:58:39 +0100 Message-ID: Subject: Re: [PATCH] ACPICA: Linuxize: Fix a NULL pointer dereference in acpi_db_convert_to_package() To: Zhou Qingyang Cc: Kangjie Lu , Robert Moore , "Rafael J. Wysocki" , Len Brown , Lv Zheng , ACPI Devel Maling List , "open list:ACPI COMPONENT ARCHITECTURE (ACPICA)" , Linux Kernel Mailing List Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jan 24, 2022 at 5:45 PM Zhou Qingyang wrote: > > In acpi_db_convert_to_package(), the variable elements is assigned by > ACPI_ALLOCATE_ZEROED() and passes its address to > acpi_db_convert_to_object(). In that function we may have a dereference > of elements without checks. ACPI_ALLOCATE_ZEROED() would return NULL on > failure, which may lead to NULL pointer dereference. > > Fix this bug by adding a NULL check of elements. > > This bug was found by a static analyzer. > > Builds with 'make allyesconfig' show no new warnings, > and our static analyzer no longer warns about this code. > > Fixes: 995751025572 ("ACPICA: Linuxize: Export debugger files to Linux") > Signed-off-by: Zhou Qingyang This is ACPICA material and so it should be submitted as a change against the upstream code via https://github.com/acpica/acpica Thanks! > --- > The analysis employs differential checking to identify inconsistent > security operations (e.g., checks or kfrees) between two code paths > and confirms that the inconsistent operations are not recovered in the > current function or the callers, so they constitute bugs. > > Note that, as a bug found by static analysis, it can be a false > positive or hard to trigger. Multiple researchers have cross-reviewed > the bug. > > drivers/acpi/acpica/dbconvert.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/acpi/acpica/dbconvert.c b/drivers/acpi/acpica/dbconvert.c > index 2b84ac093698..8dbab6932049 100644 > --- a/drivers/acpi/acpica/dbconvert.c > +++ b/drivers/acpi/acpica/dbconvert.c > @@ -174,6 +174,8 @@ acpi_status acpi_db_convert_to_package(char *string, union acpi_object *object) > elements = > ACPI_ALLOCATE_ZEROED(DB_DEFAULT_PKG_ELEMENTS * > sizeof(union acpi_object)); > + if (!elements) > + return (AE_NO_MEMORY); > > this = string; > for (i = 0; i < (DB_DEFAULT_PKG_ELEMENTS - 1); i++) { > -- > 2.25.1 >