Bug 255862 - [PATCH] dev/acpica: Fix a double free in acpi_pci_link_route_irqs
Summary: [PATCH] dev/acpica: Fix a double free in acpi_pci_link_route_irqs
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Many People
Assignee: Mark Johnston
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-05-14 09:18 UTC by lylgood
Modified: 2021-06-02 13:39 UTC (History)
1 user (show)

See Also:

Attachments
add a status check (508 bytes, patch)
2021-05-14 09:18 UTC, lylgood 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description lylgood 2021-05-14 09:18:13 UTC 
Created attachment 224925 [details]
add a status check

Bug File: sys/dev/acpica/acpi_pci_link.c

In function acpi_pci_link_route_irqs, srsbuf->Pointer is freed via AcpiOsFree() in the callee status = acpi_pci_link_srs_from_links(sc, &srsbuf), and then the callee returns a FAILURE status.

But the returned status has not been checked, that causes srsbuf->Pointer is freed again at line 916 and 876, which are double free bugs.

My patch adds a check on the returned status of acpi_pci_link_srs_from_links() to avoid the double free.
Comment 1 commit-hook freebsd_committer freebsd_triage 2021-05-26 14:50:15 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=4cf33275289088e3b0a913a44b5cd549e348094d

commit 4cf33275289088e3b0a913a44b5cd549e348094d
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2021-05-26 14:34:39 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2021-05-26 14:49:30 +0000

    acpi: Add missing error handling to acpi_pci_link_route_irqs()

    Otherwise the resouce buffer may have been freed when
    AcpiSetCurrentResources() is called, leading to a use-after-free.

    PR:             255862
    Submitted by:   Lv Yunlong <lylgood@foxmail.com> (original version)
    MFC after:      1 week

 sys/dev/acpica/acpi_pci_link.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)
Comment 2 commit-hook freebsd_committer freebsd_triage 2021-06-02 13:35:45 UTC 
A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=78b147467ea55886071b099d364757e827afbcd7

commit 78b147467ea55886071b099d364757e827afbcd7
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2021-05-26 14:34:39 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2021-06-02 13:32:37 +0000

    acpi: Add missing error handling to acpi_pci_link_route_irqs()

    Otherwise the resouce buffer may have been freed when
    AcpiSetCurrentResources() is called, leading to a use-after-free.

    PR:             255862
    Submitted by:   Lv Yunlong <lylgood@foxmail.com> (original version)
    MFC after:      1 week

    (cherry picked from commit 4cf33275289088e3b0a913a44b5cd549e348094d)

 sys/dev/acpica/acpi_pci_link.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)
Comment 3 commit-hook freebsd_committer freebsd_triage 2021-06-02 13:37:49 UTC 
A commit in branch stable/12 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=a53f3a29bf6d3af7cbddaf97b04b05cac7e923a6

commit a53f3a29bf6d3af7cbddaf97b04b05cac7e923a6
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2021-05-26 14:34:39 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2021-06-02 13:36:03 +0000

    acpi: Add missing error handling to acpi_pci_link_route_irqs()

    Otherwise the resouce buffer may have been freed when
    AcpiSetCurrentResources() is called, leading to a use-after-free.

    PR:             255862
    Submitted by:   Lv Yunlong <lylgood@foxmail.com> (original version)
    MFC after:      1 week

    (cherry picked from commit 4cf33275289088e3b0a913a44b5cd549e348094d)

 sys/dev/acpica/acpi_pci_link.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)