lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <94F2FBAB4432B54E8AACC7DFDE6C92E37E563AEA@ORSMSX110.amr.corp.intel.com>
Date:   Sat, 4 Feb 2017 04:19:33 +0000
From:   "Moore, Robert" <robert.moore@...el.com>
To:     João Paulo Rechi Vita <jprvita@...il.com>,
        "Zheng, Lv" <lv.zheng@...el.com>,
        "Wysocki, Rafael J" <rafael.j.wysocki@...el.com>,
        Len Brown <lenb@...nel.org>, Lin Ming <ming.m.lin@...el.com>
CC:     "linux-acpi@...r.kernel.org" <linux-acpi@...r.kernel.org>,
        "devel@...ica.org" <devel@...ica.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        Daniel Drake <drake@...lessm.com>,
        "linux@...lessm.com" <linux@...lessm.com>,
        João Paulo Rechi Vita <jprvita@...lessm.com>,
        "Box, David E" <david.e.box@...el.com>,
        "Schmauss, Erik" <erik.schmauss@...el.com>
Subject: RE: [PATCH] acpica: Fix double-free in acpi_ns_repair_CID()

Here's the sequence of events as I see it:

Repair_HID is a standalone function that removes one reference on the incoming object. For simple _HID objects, this in fact deletes the object.

For _CID, all elements of the package are examined. If a repair was made on a _HID within the _CID function, one reference on the original object was removed by Repair_HID. However, since the object is part of a package, it has an extra reference to reflect this fact. Thus, in the case in question, the elements of the package all have at least two references. Repair_HID removes one reference, thus the extra RemoveReference is needed in Repair_CID to bring the reference count down to zero actually delete the object (in the typical case where the object had two references).

Bob


> -----Original Message-----
> From: João Paulo Rechi Vita [mailto:jprvita@...il.com]
> Sent: Friday, February 03, 2017 12:57 PM
> To: Moore, Robert; Zheng, Lv; Wysocki, Rafael J; Len Brown; Lin Ming
> Cc: linux-acpi@...r.kernel.org; devel@...ica.org; linux-
> kernel@...r.kernel.org; Daniel Drake; linux@...lessm.com; João Paulo Rechi
> Vita
> Subject: [PATCH] acpica: Fix double-free in acpi_ns_repair_CID()
> 
> When acpi_ns_repair_CID() is called for a _CID which returns a package of
> strings, it calls acpi_ns_repair_HID() for each of the package elements.
> acpi_ns_repair_HID() calls acpi_ut_remove_reference() on the original
> object, but acpi_ns_repair_CID() calls it again on return, leading to a
> double free.
> 
> This problem was seen on a Acer TravelMate P449-G2-MG.
> 
> Thanks to Daniel Drake for helping investigating this problem.
> 
> Signed-off-by: João Paulo Rechi Vita <jprvita@...lessm.com>
> ---
>  drivers/acpi/acpica/nsrepair2.c | 2 --
>  1 file changed, 2 deletions(-)
> 
> diff --git a/drivers/acpi/acpica/nsrepair2.c
> b/drivers/acpi/acpica/nsrepair2.c index d5336122486b..c429c8eca476 100644
> --- a/drivers/acpi/acpica/nsrepair2.c
> +++ b/drivers/acpi/acpica/nsrepair2.c
> @@ -411,8 +411,6 @@ acpi_ns_repair_CID(struct acpi_evaluate_info *info,
> 
>  			(*element_ptr)->common.reference_count =
>  			    original_ref_count;
> -
> -			acpi_ut_remove_reference(original_element);
>  		}
> 
>  		element_ptr++;
> --
> 2.11.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ