| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 6 Feb 2017 01:44:15 +0000
From: "Zheng, Lv" <lv.zheng@...el.com>
To: "Moore, Robert" <robert.moore@...el.com>,
Jo?o Paulo Rechi Vita <jprvita@...il.com>,
"Wysocki, Rafael J" <rafael.j.wysocki@...el.com>,
"Len Brown" <lenb@...nel.org>, Lin Ming <ming.m.lin@...el.com>
CC: "linux-acpi@...r.kernel.org" <linux-acpi@...r.kernel.org>,
"devel@...ica.org" <devel@...ica.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
Daniel Drake <drake@...lessm.com>,
"linux@...lessm.com" <linux@...lessm.com>,
Jo?o Paulo Rechi Vita <jprvita@...lessm.com>,
"Box, David E" <david.e.box@...el.com>,
"Schmauss, Erik" <erik.schmauss@...el.com>
Subject: RE: [PATCH] acpica: Fix double-free in acpi_ns_repair_CID()
Hi,
So if a real problem related to package reference counting is triggered, the problem should be fixed elsewhere IMO.
See this bug for reference:
https://bugs.acpica.org/show_bug.cgi?id=1336
Thanks and best regards
Lv
> From: Moore, Robert
> Subject: RE: [PATCH] acpica: Fix double-free in acpi_ns_repair_CID()
>
> Here's the sequence of events as I see it:
>
> Repair_HID is a standalone function that removes one reference on the incoming object. For simple _HID
> objects, this in fact deletes the object.
>
> For _CID, all elements of the package are examined. If a repair was made on a _HID within the _CID
> function, one reference on the original object was removed by Repair_HID. However, since the object is
> part of a package, it has an extra reference to reflect this fact. Thus, in the case in question, the
> elements of the package all have at least two references. Repair_HID removes one reference, thus the
> extra RemoveReference is needed in Repair_CID to bring the reference count down to zero actually
> delete the object (in the typical case where the object had two references).
>
> Bob
>
>
> > From: João Paulo Rechi Vita [mailto:jprvita@...il.com]
> > Subject: [PATCH] acpica: Fix double-free in acpi_ns_repair_CID()
> >
> > When acpi_ns_repair_CID() is called for a _CID which returns a package of
> > strings, it calls acpi_ns_repair_HID() for each of the package elements.
> > acpi_ns_repair_HID() calls acpi_ut_remove_reference() on the original
> > object, but acpi_ns_repair_CID() calls it again on return, leading to a
> > double free.
> >
> > This problem was seen on a Acer TravelMate P449-G2-MG.
> >
> > Thanks to Daniel Drake for helping investigating this problem.
> >
> > Signed-off-by: João Paulo Rechi Vita <jprvita@...lessm.com>
> > ---
> > drivers/acpi/acpica/nsrepair2.c | 2 --
> > 1 file changed, 2 deletions(-)
> >
> > diff --git a/drivers/acpi/acpica/nsrepair2.c
> > b/drivers/acpi/acpica/nsrepair2.c index d5336122486b..c429c8eca476 100644
> > --- a/drivers/acpi/acpica/nsrepair2.c
> > +++ b/drivers/acpi/acpica/nsrepair2.c
> > @@ -411,8 +411,6 @@ acpi_ns_repair_CID(struct acpi_evaluate_info *info,
> >
> > (*element_ptr)->common.reference_count =
> > original_ref_count;
> > -
> > - acpi_ut_remove_reference(original_element);
> > }
> >
> > element_ptr++;
> > --
> > 2.11.0
Powered by blists - more mailing lists