| Message ID | b8c5f018-4883-4c14-84ab-0514edac2770@ancud.ru |
|---|---|
| State | Superseded |
| Headers | show |
| Series | ACPICA: debugger: check status of acpi_evaluate_object in acpi_db_walk_for_fields | expand |
On Mon, Nov 13, 2023 at 2:33 PM Nikita Kiryushin <kiryushin@ancud.ru> wrote: > > Errors in acpi_evaluate_object can lead to incorrect state of buffer. > This can lead to access to data in previously ACPI_FREEd buffer and > secondary ACPI_FREE to the same buffer later. > > Handle errors in acpi_evaluate_object the same way it is done earlier > with acpi_ns_handle_to_pathname. > > Found by Linux Verification Center (linuxtesting.org) with SVACE. > > Fixes: 5fd033288a86 ("ACPICA: debugger: add command to dump all fields > of particular subtype") > Signed-off-by: Nikita Kiryushin <kiryushin@ancud.ru> > --- > drivers/acpi/acpica/dbnames.c | 8 ++++++-- This is ACPICA code which comes from a separate project. The way to change it is to submit a pull request with the desired change to the upstream ACPICA project on GitHub and add a Link tag pointing to the upstream PR to the corresponding Linux patch. Then, the Linux patch can only be applied after the corresponding upstream PR has been merged. Thanks! > 1 file changed, 6 insertions(+), 2 deletions(-) > > diff --git a/drivers/acpi/acpica/dbnames.c b/drivers/acpi/acpica/dbnames.c > index b91155ea9c34..c9131259f717 100644 > --- a/drivers/acpi/acpica/dbnames.c > +++ b/drivers/acpi/acpica/dbnames.c > @@ -550,8 +550,12 @@ acpi_db_walk_for_fields(acpi_handle obj_handle, > ACPI_FREE(buffer.pointer); > buffer.length = ACPI_ALLOCATE_LOCAL_BUFFER; > - acpi_evaluate_object(obj_handle, NULL, NULL, &buffer); > - > + status = acpi_evaluate_object(obj_handle, NULL, NULL, &buffer); > + if (ACPI_FAILURE(status)) { > + acpi_os_printf("Could Not evaluate object %p\n", > + obj_handle); > + return (AE_OK); > + } > /* > * Since this is a field unit, surround the output in braces > */ > -- > 2.34.1 > >
On Fri, Mar 22, 2024 at 7:23 PM Nikita Kiryushin <kiryushin@ancud.ru> wrote: > > ACPICA commit 9061cd9aa131205657c811a52a9f8325a040c6c9 > > Errors in acpi_evaluate_object can lead to incorrect state of buffer. > This can lead to access to data in previously ACPI_FREEd buffer and > secondary ACPI_FREE to the same buffer later. > > Handle errors in acpi_evaluate_object the same way it is done earlier > with acpi_ns_handle_to_pathname. > > Found by Linux Verification Center (linuxtesting.org) with SVACE. > > Link: https://github.com/acpica/acpica/commit/9061cd9a > Fixes: 5fd033288a86 ("ACPICA: debugger: add command to dump all fields of particular subtype") > Signed-off-by: Nikita Kiryushin <kiryushin@ancud.ru> > --- > v2: Add ACPICA project git links for corresponding changes > drivers/acpi/acpica/dbnames.c | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > > diff --git a/drivers/acpi/acpica/dbnames.c b/drivers/acpi/acpica/dbnames.c > index b91155ea9c34..c9131259f717 100644 > --- a/drivers/acpi/acpica/dbnames.c > +++ b/drivers/acpi/acpica/dbnames.c > @@ -550,8 +550,12 @@ acpi_db_walk_for_fields(acpi_handle obj_handle, > ACPI_FREE(buffer.pointer); > > buffer.length = ACPI_ALLOCATE_LOCAL_BUFFER; > - acpi_evaluate_object(obj_handle, NULL, NULL, &buffer); > - > + status = acpi_evaluate_object(obj_handle, NULL, NULL, &buffer); > + if (ACPI_FAILURE(status)) { > + acpi_os_printf("Could Not evaluate object %p\n", > + obj_handle); > + return (AE_OK); > + } > /* > * Since this is a field unit, surround the output in braces > */ > -- Applied as 6.10 material, thanks!
diff --git a/drivers/acpi/acpica/dbnames.c b/drivers/acpi/acpica/dbnames.c index b91155ea9c34..c9131259f717 100644 --- a/drivers/acpi/acpica/dbnames.c +++ b/drivers/acpi/acpica/dbnames.c @@ -550,8 +550,12 @@ acpi_db_walk_for_fields(acpi_handle obj_handle, ACPI_FREE(buffer.pointer); buffer.length = ACPI_ALLOCATE_LOCAL_BUFFER; - acpi_evaluate_object(obj_handle, NULL, NULL, &buffer); - + status = acpi_evaluate_object(obj_handle, NULL, NULL, &buffer); + if (ACPI_FAILURE(status)) { + acpi_os_printf("Could Not evaluate object %p\n", + obj_handle); + return (AE_OK); + } /* * Since this is a field unit, surround the output in braces */ -- 2.34.1
Errors in acpi_evaluate_object can lead to incorrect state of buffer. This can lead to access to data in previously ACPI_FREEd buffer and secondary ACPI_FREE to the same buffer later. Handle errors in acpi_evaluate_object the same way it is done earlier with acpi_ns_handle_to_pathname. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 5fd033288a86 ("ACPICA: debugger: add command to dump all fields of particular subtype") Signed-off-by: Nikita Kiryushin <kiryushin@ancud.ru> --- drivers/acpi/acpica/dbnames.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-)