Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp148007rwb; Wed, 30 Nov 2022 23:47:18 -0800 (PST) X-Google-Smtp-Source: AA0mqf7qrDcaUFsleGQbBrp6VSgrR68vwqHgyMoZApmh6Hdymc/dRIQJybRjjYAV1U4xbFDzxuMH X-Received: by 2002:a17:902:d40a:b0:189:1890:77df with SMTP id b10-20020a170902d40a00b00189189077dfmr47007851ple.132.1669880837920; Wed, 30 Nov 2022 23:47:17 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1669880837; cv=none; d=google.com; s=arc-20160816; b=gqHeqJ67ueC806X8g9VX5YyvAju/LkYkuMq+DD4IEz9lBcBFDSsfoi1KdTlaSxt1wE Mu6tHX6UuaI9Fht+CZE+CNEaU7ioztDcOSnImNQlyDPdhUxtgTFayZgF8aJaLmHgiCFW zyCnsFzLdvpaJzWHr0nrRyGjT534fCoon3nSjtgGVJUKZkYCfbEl/E3ysvJplXytyFi+ 6xTRpiIdK3tnusGB1mTgs+kxBWRSAybdykxvZopoESG2SqJ0MfgNVX6+eRkwhi/TOZRd z5fgYx1sm1GZ/PCcu25iGTLXBm1FThqyYGd/bgPepaZrSJ4CqWYcm2DhIRTATZmOldm3 c8Tg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=4pmn5qaGKZtyhHyn33uP9/FDFTSiNjjRJ9D8Kbv49x4=; b=VSO2TLNwtsuVfJjetzQSl0dHOFxdiz9UgDF/oYq9o4SQAFI5h/tqk5Oe8JTx9yjz3n 09Xn/gR114wpskWWIEGCGsLynMXl0Te0rKn//f7QVDfxppcVrMWQgDFDRvOMdsI82Cbk NyL+D5DjYmtVCOVd8+bAG6h0HiqlDPxhNmBInouuTi43f7pfVXtG9UcRSJbckKErZv0/ 5/X3G1OCEPZEfPVhto3yXc8fshEvlmcgpJiQ1hUbeYf36sCToewTcL8uPXkRe7SbMMGN ymsAFuoUsUHPiSHnrabxOr/GG5PZgs8JLXrNAt6zj+4eMcHFYqNfM4SxdT3rxkUQrCD7 3xCw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q17-20020a17090311d100b0018996404dc2si4275965plh.268.2022.11.30.23.47.07; Wed, 30 Nov 2022 23:47:17 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229853AbiLAHA5 (ORCPT + 84 others); Thu, 1 Dec 2022 02:00:57 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54736 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229475AbiLAHAz (ORCPT ); Thu, 1 Dec 2022 02:00:55 -0500 Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3E75963D4A; Wed, 30 Nov 2022 23:00:54 -0800 (PST) Received: from kwepemi500012.china.huawei.com (unknown [172.30.72.56]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4NN6Qb0yJ6zHw6f; Thu, 1 Dec 2022 15:00:07 +0800 (CST) Received: from huawei.com (10.175.101.6) by kwepemi500012.china.huawei.com (7.221.188.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Thu, 1 Dec 2022 15:00:49 +0800 From: Li Zetao To: , , , , CC: , , , Subject: [PATCH] ACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage() Date: Thu, 1 Dec 2022 16:05:14 +0800 Message-ID: <20221201080514.3015400-1-lizetao1@huawei.com> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 Content-Transfer-Encoding: 7BIT Content-Type: text/plain; charset=US-ASCII X-Originating-IP: [10.175.101.6] X-ClientProxiedBy: dggems703-chm.china.huawei.com (10.3.19.180) To kwepemi500012.china.huawei.com (7.221.188.12) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org There is an use-after-free reported by KASAN: BUG: KASAN: use-after-free in acpi_ut_remove_reference+0x3b/0x82 Read of size 1 at addr ffff888112afc460 by task modprobe/2111 CPU: 0 PID: 2111 Comm: modprobe Not tainted 6.1.0-rc7-dirty Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), Call Trace: kasan_report+0xae/0xe0 acpi_ut_remove_reference+0x3b/0x82 acpi_ut_copy_iobject_to_iobject+0x3be/0x3d5 acpi_ds_store_object_to_local+0x15d/0x3a0 acpi_ex_store+0x78d/0x7fd acpi_ex_opcode_1A_1T_1R+0xbe4/0xf9b acpi_ps_parse_aml+0x217/0x8d5 ... The root cause of the problem is that the acpi_operand_object is freed when acpi_ut_walk_package_tree() fails in acpi_ut_copy_ipackage_to_ipackage(), lead to repeated release in acpi_ut_copy_iobject_to_iobject(). The problem was introduced by "8aa5e56eeb61" commit, this commit is to fix memory leak in acpi_ut_copy_iobject_to_iobject(), repeatedly adding remove operation, lead to "acpi_operand_object" used after free. Fix it by removing acpi_ut_remove_reference() in acpi_ut_copy_ipackage_to_ipackage(). acpi_ut_copy_ipackage_to_ipackage() is called to copy an internal package object into another internal package object, when it fails, the memory of acpi_operand_object should be freed by the caller. Fixes: 8aa5e56eeb61 ("ACPICA: Utilities: Fix memory leak in acpi_ut_copy_iobject_to_iobject") Signed-off-by: Li Zetao --- drivers/acpi/acpica/utcopy.c | 7 ------- 1 file changed, 7 deletions(-) diff --git a/drivers/acpi/acpica/utcopy.c b/drivers/acpi/acpica/utcopy.c index 400b9e15a709..63c17f420fb8 100644 --- a/drivers/acpi/acpica/utcopy.c +++ b/drivers/acpi/acpica/utcopy.c @@ -916,13 +916,6 @@ acpi_ut_copy_ipackage_to_ipackage(union acpi_operand_object *source_obj, status = acpi_ut_walk_package_tree(source_obj, dest_obj, acpi_ut_copy_ielement_to_ielement, walk_state); - if (ACPI_FAILURE(status)) { - - /* On failure, delete the destination package object */ - - acpi_ut_remove_reference(dest_obj); - } - return_ACPI_STATUS(status); } -- 2.31.1