Bug 255862

Summary: [PATCH] dev/acpica: Fix a double free in acpi_pci_link_route_irqs
Product: Base System Reporter: lylgood
Component: kernAssignee: Mark Johnston <markj>
Status: Closed FIXED    
Severity: Affects Many People CC: markj
Priority: ---    
Version: CURRENT   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
add a status check none

Description lylgood 2021-05-14 09:18:13 UTC 
Created attachment 224925 [details]
add a status check

Bug File: sys/dev/acpica/acpi_pci_link.c

In function acpi_pci_link_route_irqs, srsbuf->Pointer is freed via AcpiOsFree() in the callee status = acpi_pci_link_srs_from_links(sc, &srsbuf), and then the callee returns a FAILURE status.

But the returned status has not been checked, that causes srsbuf->Pointer is freed again at line 916 and 876, which are double free bugs.

My patch adds a check on the returned status of acpi_pci_link_srs_from_links() to avoid the double free.
Comment 1 commit-hook freebsd_committer freebsd_triage 2021-05-26 14:50:15 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=4cf33275289088e3b0a913a44b5cd549e348094d

commit 4cf33275289088e3b0a913a44b5cd549e348094d
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2021-05-26 14:34:39 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2021-05-26 14:49:30 +0000

    acpi: Add missing error handling to acpi_pci_link_route_irqs()

    Otherwise the resouce buffer may have been freed when
    AcpiSetCurrentResources() is called, leading to a use-after-free.

    PR:             255862
    Submitted by:   Lv Yunlong <lylgood@foxmail.com> (original version)
    MFC after:      1 week

 sys/dev/acpica/acpi_pci_link.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)
Comment 2 commit-hook freebsd_committer freebsd_triage 2021-06-02 13:35:45 UTC 
A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=78b147467ea55886071b099d364757e827afbcd7

commit 78b147467ea55886071b099d364757e827afbcd7
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2021-05-26 14:34:39 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2021-06-02 13:32:37 +0000

    acpi: Add missing error handling to acpi_pci_link_route_irqs()

    Otherwise the resouce buffer may have been freed when
    AcpiSetCurrentResources() is called, leading to a use-after-free.

    PR:             255862
    Submitted by:   Lv Yunlong <lylgood@foxmail.com> (original version)
    MFC after:      1 week

    (cherry picked from commit 4cf33275289088e3b0a913a44b5cd549e348094d)

 sys/dev/acpica/acpi_pci_link.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)
Comment 3 commit-hook freebsd_committer freebsd_triage 2021-06-02 13:37:49 UTC 
A commit in branch stable/12 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=a53f3a29bf6d3af7cbddaf97b04b05cac7e923a6

commit a53f3a29bf6d3af7cbddaf97b04b05cac7e923a6
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2021-05-26 14:34:39 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2021-06-02 13:36:03 +0000

    acpi: Add missing error handling to acpi_pci_link_route_irqs()

    Otherwise the resouce buffer may have been freed when
    AcpiSetCurrentResources() is called, leading to a use-after-free.

    PR:             255862
    Submitted by:   Lv Yunlong <lylgood@foxmail.com> (original version)
    MFC after:      1 week

    (cherry picked from commit 4cf33275289088e3b0a913a44b5cd549e348094d)

 sys/dev/acpica/acpi_pci_link.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)