lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAJZ5v0ia-CN=zsmQr9+vnFDfCe1U8EFUDiRfUnGVMqS9b9AXpQ@mail.gmail.com>
Date:   Fri, 2 Dec 2022 20:36:35 +0100
From:   "Rafael J. Wysocki" <rafael@...nel.org>
To:     Li Zetao <lizetao1@...wei.com>
Cc:     robert.moore@...el.com, rafael.j.wysocki@...el.com,
        lenb@...nel.org, lv.zheng@...el.com, david.e.box@...ux.intel.com,
        linux-acpi@...r.kernel.org, devel@...ica.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] ACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage()

On Thu, Dec 1, 2022 at 8:00 AM Li Zetao <lizetao1@...wei.com> wrote:
>
> There is an use-after-free reported by KASAN:
>
>   BUG: KASAN: use-after-free in acpi_ut_remove_reference+0x3b/0x82
>   Read of size 1 at addr ffff888112afc460 by task modprobe/2111
>   CPU: 0 PID: 2111 Comm: modprobe Not tainted 6.1.0-rc7-dirty
>   Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
>   Call Trace:
>    <TASK>
>    kasan_report+0xae/0xe0
>    acpi_ut_remove_reference+0x3b/0x82
>    acpi_ut_copy_iobject_to_iobject+0x3be/0x3d5
>    acpi_ds_store_object_to_local+0x15d/0x3a0
>    acpi_ex_store+0x78d/0x7fd
>    acpi_ex_opcode_1A_1T_1R+0xbe4/0xf9b
>    acpi_ps_parse_aml+0x217/0x8d5
>    ...
>    </TASK>
>
> The root cause of the problem is that the acpi_operand_object
> is freed when acpi_ut_walk_package_tree() fails in
> acpi_ut_copy_ipackage_to_ipackage(), lead to repeated release in
> acpi_ut_copy_iobject_to_iobject(). The problem was introduced
> by "8aa5e56eeb61" commit, this commit is to fix memory leak in
> acpi_ut_copy_iobject_to_iobject(), repeatedly adding remove
> operation, lead to "acpi_operand_object" used after free.
>
> Fix it by removing acpi_ut_remove_reference() in
> acpi_ut_copy_ipackage_to_ipackage(). acpi_ut_copy_ipackage_to_ipackage()
> is called to copy an internal package object into another internal
> package object, when it fails, the memory of acpi_operand_object
> should be freed by the caller.
>
> Fixes: 8aa5e56eeb61 ("ACPICA: Utilities: Fix memory leak in acpi_ut_copy_iobject_to_iobject")
> Signed-off-by: Li Zetao <lizetao1@...wei.com>
> ---
>  drivers/acpi/acpica/utcopy.c | 7 -------
>  1 file changed, 7 deletions(-)
>
> diff --git a/drivers/acpi/acpica/utcopy.c b/drivers/acpi/acpica/utcopy.c
> index 400b9e15a709..63c17f420fb8 100644
> --- a/drivers/acpi/acpica/utcopy.c
> +++ b/drivers/acpi/acpica/utcopy.c
> @@ -916,13 +916,6 @@ acpi_ut_copy_ipackage_to_ipackage(union acpi_operand_object *source_obj,
>         status = acpi_ut_walk_package_tree(source_obj, dest_obj,
>                                            acpi_ut_copy_ielement_to_ielement,
>                                            walk_state);
> -       if (ACPI_FAILURE(status)) {
> -
> -               /* On failure, delete the destination package object */
> -
> -               acpi_ut_remove_reference(dest_obj);
> -       }
> -
>         return_ACPI_STATUS(status);
>  }
>
> --

Applied as 6.2 material.

Normally, I would ask for a corresponding pull request to be submitted
to the upstream project on GitHub, but this looks serious enough to be
fast-tracked.

Anyway, it would help if you submitted a pull request with this change
to upstream ACPICA on GitHub.  Otherwise, I'll take care of that.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ