| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20170203205654.28269-1-jprvita@endlessm.com>
Date: Fri, 3 Feb 2017 15:56:54 -0500
From: "João Paulo Rechi Vita" <jprvita@...il.com>
To: Robert Moore <robert.moore@...el.com>,
Lv Zheng <lv.zheng@...el.com>,
"Rafael J . Wysocki" <rafael.j.wysocki@...el.com>,
Len Brown <lenb@...nel.org>, Lin Ming <ming.m.lin@...el.com>
Cc: linux-acpi@...r.kernel.org, devel@...ica.org,
linux-kernel@...r.kernel.org, Daniel Drake <drake@...lessm.com>,
linux@...lessm.com,
João Paulo Rechi Vita <jprvita@...lessm.com>
Subject: [PATCH] acpica: Fix double-free in acpi_ns_repair_CID()
When acpi_ns_repair_CID() is called for a _CID which returns a package
of strings, it calls acpi_ns_repair_HID() for each of the package
elements. acpi_ns_repair_HID() calls acpi_ut_remove_reference() on the
original object, but acpi_ns_repair_CID() calls it again on return,
leading to a double free.
This problem was seen on a Acer TravelMate P449-G2-MG.
Thanks to Daniel Drake for helping investigating this problem.
Signed-off-by: João Paulo Rechi Vita <jprvita@...lessm.com>
---
drivers/acpi/acpica/nsrepair2.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/acpi/acpica/nsrepair2.c b/drivers/acpi/acpica/nsrepair2.c
index d5336122486b..c429c8eca476 100644
--- a/drivers/acpi/acpica/nsrepair2.c
+++ b/drivers/acpi/acpica/nsrepair2.c
@@ -411,8 +411,6 @@ acpi_ns_repair_CID(struct acpi_evaluate_info *info,
(*element_ptr)->common.reference_count =
original_ref_count;
-
- acpi_ut_remove_reference(original_element);
}
element_ptr++;
--
2.11.0
Powered by blists - more mailing lists