linux/drivers/acpi
Li Zetao 6fde666278 ACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage()
[ Upstream commit 470188b09e ]

There is an use-after-free reported by KASAN:

  BUG: KASAN: use-after-free in acpi_ut_remove_reference+0x3b/0x82
  Read of size 1 at addr ffff888112afc460 by task modprobe/2111
  CPU: 0 PID: 2111 Comm: modprobe Not tainted 6.1.0-rc7-dirty
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
  Call Trace:
   <TASK>
   kasan_report+0xae/0xe0
   acpi_ut_remove_reference+0x3b/0x82
   acpi_ut_copy_iobject_to_iobject+0x3be/0x3d5
   acpi_ds_store_object_to_local+0x15d/0x3a0
   acpi_ex_store+0x78d/0x7fd
   acpi_ex_opcode_1A_1T_1R+0xbe4/0xf9b
   acpi_ps_parse_aml+0x217/0x8d5
   ...
   </TASK>

The root cause of the problem is that the acpi_operand_object
is freed when acpi_ut_walk_package_tree() fails in
acpi_ut_copy_ipackage_to_ipackage(), lead to repeated release in
acpi_ut_copy_iobject_to_iobject(). The problem was introduced
by "8aa5e56eeb61" commit, this commit is to fix memory leak in
acpi_ut_copy_iobject_to_iobject(), repeatedly adding remove
operation, lead to "acpi_operand_object" used after free.

Fix it by removing acpi_ut_remove_reference() in
acpi_ut_copy_ipackage_to_ipackage(). acpi_ut_copy_ipackage_to_ipackage()
is called to copy an internal package object into another internal
package object, when it fails, the memory of acpi_operand_object
should be freed by the caller.

Fixes: 8aa5e56eeb ("ACPICA: Utilities: Fix memory leak in acpi_ut_copy_iobject_to_iobject")
Signed-off-by: Li Zetao <lizetao1@huawei.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2022-12-31 13:14:04 +01:00
..
acpica ACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage() 2022-12-31 13:14:04 +01:00
apei ACPI: APEI: Fix integer overflow in ghes_estatus_pool_init() 2022-11-10 18:15:34 +01:00
arm64 ACPI/IORT: Check node revision for PMCG resources 2022-02-16 12:56:19 +01:00
dptf ACPI: DPTF: Add new PCH FIVR methods 2021-08-04 18:08:50 +02:00
nfit ACPI: NFIT: Use fallback node id when numa info in NFIT table is incorrect 2021-09-27 11:40:43 -07:00
numa ACPI: HMAT: Fix initiator registration for single-initiator systems 2022-12-08 11:28:45 +01:00
pmic ACPI: PMIC: Fix intel_pmic_regs_handler() read accesses 2021-11-18 19:17:06 +01:00
x86 ACPI: x86: Add another system to quirk list for forcing StorageD3Enable 2022-11-26 09:24:31 +01:00
ac.c ACPI: AC: Quirk GK45 to skip reading _PSR 2021-11-18 19:16:19 +01:00
acpi_adxl.c
acpi_amba.c ACPI: AMBA: Fix resource name in /proc/iomem 2021-06-30 20:01:10 +02:00
acpi_apd.c serial: 8250_dw: Add device HID for new AMD UART controller 2021-05-13 17:08:42 +02:00
acpi_cmos_rtc.c ACPI: cmos_rtc: Using pr_fmt() and remove PREFIX 2021-06-07 15:36:45 +02:00
acpi_configfs.c ACPI: configfs: Make get_header() to return error pointer 2021-07-16 19:20:28 +02:00
acpi_dbg.c ACPI: debug: Remove the not used function 2020-11-17 18:12:34 +01:00
acpi_extlog.c ACPI: extlog: Handle multiple records 2022-10-29 10:12:55 +02:00
acpi_fpdt.c ACPI: tables: FPDT: Don't call acpi_os_map_memory() on invalid phys address 2022-10-26 12:35:30 +02:00
acpi_ipmi.c ACPI: ipmi: Remove address space handler in error path 2021-05-24 16:27:34 +02:00
acpi_lpat.c
acpi_lpit.c
acpi_lpss.c ACPI: LPSS: Fix missing check in register_device_clock() 2022-08-17 14:23:03 +02:00
acpi_memhotplug.c ACPI: memhotplug: use a single static memory group for a single memory device 2021-09-08 11:50:23 -07:00
acpi_pad.c ACPI: processor: Replace deprecated CPU-hotplug functions 2021-08-04 20:25:54 +02:00
acpi_platform.c
acpi_pnp.c ACPI: PNP: compare the string length in the matching_id() 2020-12-15 19:30:49 +01:00
acpi_processor.c ACPI: processor: Replace deprecated CPU-hotplug functions 2021-08-04 20:25:54 +02:00
acpi_tad.c ACPI: Use DEVICE_ATTR_<RW|RO|WO> macros 2021-01-22 16:17:19 +01:00
acpi_video.c ACPI: video: Add Toshiba Satellite/Portege Z830 quirk 2022-10-26 12:35:30 +02:00
acpi_watchdog.c ACPI: watchdog: Replace open coded variant of resource_union() 2020-11-17 18:06:29 +01:00
battery.c ACPI: battery: Add device HID and quirk for Microsoft Surface Go 3 2022-03-28 09:58:44 +02:00
bgrt.c ACPI: bgrt: Use sysfs_emit 2021-06-23 19:27:50 +02:00
blacklist.c ACPI: blacklist: Unify the message printing 2021-06-07 15:36:45 +02:00
bus.c ACPI: VIOT: Fix ACS setup 2022-08-17 14:23:11 +02:00
button.c ACPI: button: Add DMI quirk for Lenovo Yoga 9 (14INTL5) 2021-08-25 19:57:01 +02:00
container.c
cppc_acpi.c ACPI: CPPC: Do not prevent CPPC from working in the future 2022-08-17 14:24:25 +02:00
custom_method.c ACPI: custom_method: fix a possible memory leak 2021-04-28 19:17:54 +02:00
debugfs.c
device_pm.c for-5.14/drivers-2021-06-29 2021-06-30 12:21:16 -07:00
device_sysfs.c ACPI: sysfs: fix doc warnings in device_sysfs.c 2021-06-17 14:32:05 +02:00
dock.c ACPI: dock: fix some coding style issues 2021-04-08 16:27:03 +02:00
ec_sys.c
ec.c ACPI: EC: Drop the EC_FLAGS_IGNORE_DSDT_GPE quirk 2022-08-17 14:23:03 +02:00
event.c Merge branches 'acpi-ec', 'acpi-apei', 'acpi-soc' and 'acpi-misc' 2021-06-29 15:51:25 +02:00
evged.c ACPI: GED: fix -Wformat 2020-11-09 19:25:20 +01:00
fan.c ACPI: PM / fan: Put fan device IDs into separate header file 2021-05-21 19:02:35 +02:00
fan.h ACPI: PM / fan: Put fan device IDs into separate header file 2021-05-21 19:02:35 +02:00
glue.c Revert "ACPI: scan: Release PM resources blocked by unused objects" 2021-11-21 13:44:14 +01:00
hed.c ACPI: HED: Drop unused ACPI_MODULE_NAME() definition 2021-03-08 16:51:48 +01:00
internal.h ACPI: EC: Rework flushing of EC work while suspended to idle 2022-01-27 11:03:23 +01:00
ioapic.c
irq.c ACPI: irq: Prevent unregistering of GIC SGIs 2021-04-23 18:00:52 +01:00
Kconfig Merge branches 'acpi-numa', 'acpi-glue', 'acpi-config' and 'acpi-pmic' 2021-08-30 19:30:37 +02:00
Makefile IOMMU Updates for Linux v5.14 2021-07-02 13:22:47 -07:00
nvs.c Merge branches 'acpi-ec', 'acpi-apei', 'acpi-soc' and 'acpi-misc' 2021-06-29 15:51:25 +02:00
osi.c
osl.c Revert "ACPI: Add memory semantics to acpi_os_map_memory()" 2021-09-23 20:39:36 +02:00
pci_irq.c ACPI: PCI: IRQ: Consolidate printing diagnostic messages 2021-03-08 16:51:08 +01:00
pci_link.c ACPI: utils: Introduce acpi_evaluation_failure_warn() 2021-03-08 19:10:30 +01:00
pci_mcfg.c PCI/ACPI: Guard ARM64-specific mcfg_quirks 2022-08-25 11:40:36 +02:00
pci_root.c ACPI: APEI: explicit init of HEST and GHES in apci_init() 2022-08-17 14:23:11 +02:00
pci_slot.c
platform_profile.c ACPI: platform-profile: call sysfs_notify() from platform_profile_store() 2021-08-16 18:32:02 +02:00
power.c ACPI: PM: Fix device wakeup power reference counting error 2021-11-18 19:17:09 +01:00
pptt.c ACPI: tables: PPTT: Populate cache-id if provided by firmware 2021-06-07 15:55:02 +02:00
prmt.c ACPI: PRM: Find PRMT table before parsing it 2021-09-08 20:56:57 +02:00
proc.c
processor_core.c ACPI: processor: Remove dead ACPICA debug code 2020-09-25 18:25:51 +02:00
processor_driver.c ACPI: processor: Get rid of ACPICA message printing 2021-03-08 16:51:19 +01:00
processor_idle.c ACPI: processor/idle: Annotate more functions to live in cpuidle section 2022-08-17 14:23:06 +02:00
processor_pdc.c ACPI: processor: Get rid of ACPICA message printing 2021-03-08 16:51:19 +01:00
processor_perflib.c ACPI: processor_perflib: Cleanup print messages 2021-06-07 15:36:46 +02:00
processor_thermal.c ACPI: processor: Remove freq Qos request for all CPUs 2022-08-31 17:16:48 +02:00
processor_throttling.c Merge branches 'acpi-dptf' and 'acpi-messages' 2021-06-29 15:50:37 +02:00
property.c ACPI: property: Return type of acpi_add_nondev_subnodes() should be bool 2022-08-25 11:40:10 +02:00
reboot.c ACPI: reboot: Unify the message printing 2021-06-07 15:36:46 +02:00
resource.c ACPI: resource: skip IRQ override on AMD Zen platforms 2022-09-20 12:39:42 +02:00
sbs.c ACPI: sbs: Unify the message printing 2021-06-07 15:36:46 +02:00
sbshc.c Merge branches 'acpi-ec', 'acpi-apei', 'acpi-soc' and 'acpi-misc' 2021-06-29 15:51:25 +02:00
sbshc.h ACPI: Fix whitespace inconsistencies 2020-11-09 19:08:06 +01:00
scan.c ACPI: scan: Add LATT2021 to acpi_ignore_dep_ids[] 2022-11-26 09:24:31 +01:00
sleep.c ACPI: PM: save NVS memory for Lenovo G40-45 2022-08-17 14:23:03 +02:00
sleep.h Revert "Revert "ACPI: scan: Turn off unused power resources during initialization"" 2021-05-10 14:02:17 +02:00
spcr.c ACPI: SPCR: Add support for the new 16550-compatible Serial Port Subtype 2021-08-16 18:38:08 +02:00
sysfs.c ACPI: sysfs: Fix BERT error region memory mapping 2022-05-30 09:28:58 +02:00
tables.c memblock: exclude MEMBLOCK_NOMAP regions from kmemleak 2021-10-21 18:30:49 -10:00
thermal.c ACPI: thermal: drop an always true check 2022-09-05 10:30:03 +02:00
tiny-power-button.c ACPI: tiny-power-button: Simplify the code using module_acpi_driver() 2020-11-17 18:12:34 +01:00
utils.c ACPI: utils: Fix reference counting in for_each_acpi_dev_match() 2021-07-19 16:22:01 +02:00
video_detect.c ACPI: video: Force backlight native for more TongFang devices 2022-10-29 10:12:58 +02:00
viot.c ACPI: VIOT: Fix ACS setup 2022-08-17 14:23:11 +02:00
wakeup.c ACPI: Fix whitespace inconsistencies 2020-11-09 19:08:06 +01:00