ACPI: custom_method: fix potential use-after-free issue

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

In cm_write(), buf is always freed when reaching the end of the
function. If the requested count is less than table.length, the
allocated buffer will be freed but subsequent calls to cm_write() will
still try to access it.

Remove the unconditional kfree(buf) at the end of the function and
set the buf to NULL in the -EINVAL error path to match the rest of
function.

Fixes: 03d1571d9513 ("ACPI: custom_method: fix memory leaks")
Signed-off-by: Mark Langsdorf <mlangsdo@redhat.com>
Cc: 5.4+ <stable@vger.kernel.org> # 5.4+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

authored by

Mark Langsdorf and committed by

Rafael J. Wysocki 5 years ago e483bb9a d8f9176b

+1 -1

1 changed file

expand all

drivers

acpi

custom_method.c

+1 -1

drivers/acpi/custom_method.c

··· 55 55 (*ppos + count < count) || 56 56 (count > uncopied_bytes)) { 57 57 kfree(buf); 58 + buf = NULL; 58 59 return -EINVAL; 59 60 } 60 61 ··· 77 76 add_taint(TAINT_OVERRIDDEN_ACPI_TABLE, LOCKDEP_NOW_UNRELIABLE); 78 77 } 79 78 80 - kfree(buf); 81 79 return count; 82 80 } 83 81