From patchwork Wed Oct 19 07:34:43 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chen Zhongjin X-Patchwork-Id: 4462 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:4ac7:0:0:0:0:0 with SMTP id y7csp182908wrs; Wed, 19 Oct 2022 00:43:22 -0700 (PDT) X-Google-Smtp-Source: AMsMyM7z7czNjI1ch7uTUitAe9s1HM/gotQnM9u/KTPJoHi1cWG00+CpJxg06jyYFzapHErldN59 X-Received: by 2002:a63:e64f:0:b0:43c:9db1:8096 with SMTP id p15-20020a63e64f000000b0043c9db18096mr5939618pgj.567.1666165401932; Wed, 19 Oct 2022 00:43:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666165401; cv=none; d=google.com; s=arc-20160816; b=XjUEM+IE2CVWb7eR606CWAmXG0TbpdlyWjC+wHfL+SmdlGEAmYgOQEZcXraa8rjlJP LOxjFfeK3f4vZtHcdk9k/8nC9mstB1YSMlA0yJQ1y2XZfC53Qt/k5E9Zrk+hSc4v1+jc +yno8P1C6Qi90DrdyrfFYcbj8PwP9FK0Vf4fPaRzvlHAcbThx91HnRlCrDky/S9h0f9e ortmw8ozaDR1i9cUeitMjQLyAjKM5mRVAyQwSBX2wQABo/9XLdRhI5YTl4rZRngm50MZ Vqz9w+F1Pw+SEVjWoUePmwCLwmMnwBD+S0gOBbND9T9Rxx18qfOO5iirwaq7dX6SQuhI n8yw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:message-id:date:subject:cc:to:from; bh=gZux3SezUccC92l1vNoVqBaFl/N5b7sVdZXo0OnWyRI=; b=A3iDHAnT2diwu6ExzFkFTqCikyjsSCyhfznkg/mZFdFvenXr9PZFylJa6MTbGMmUp0 mKG/5OnrXMwHo75Aw4fzy0ZzLAmCAgabfOgHrtUODiSn5itjTX4QNXJ8+4z3M0f/yEPw oVF5V1TlqqfelRB4mntB5X5CD+/UsDaGMreChLdUiwDkfHDgZOq7VuEBIPUYHvsG7Del 2q7XXEzasjq82T9sOjvLIa19AiMtyp4TbyHnp/F+kgffD7AYV0fZnaem9kj+XQSxCpgx hI2DkoBo6SQOp9q1ZBBEU4UDXDOjfOYNwzlGjqCL6aPxh0g6WnVOtVhdnFBp5QMZDuQb AFfg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q130-20020a632a88000000b0045f74df51dfsi17064764pgq.536.2022.10.19.00.43.09; Wed, 19 Oct 2022 00:43:21 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229852AbiJSHiY (ORCPT + 99 others); Wed, 19 Oct 2022 03:38:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52036 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229596AbiJSHiX (ORCPT ); Wed, 19 Oct 2022 03:38:23 -0400 Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A437863F30; Wed, 19 Oct 2022 00:38:22 -0700 (PDT) Received: from dggpemm500023.china.huawei.com (unknown [172.30.72.55]) by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4MsjC46y7gzmVFX; Wed, 19 Oct 2022 15:33:36 +0800 (CST) Received: from dggpemm500013.china.huawei.com (7.185.36.172) by dggpemm500023.china.huawei.com (7.185.36.83) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Wed, 19 Oct 2022 15:38:09 +0800 Received: from ubuntu1804.huawei.com (10.67.175.36) by dggpemm500013.china.huawei.com (7.185.36.172) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Wed, 19 Oct 2022 15:38:09 +0800 From: Chen Zhongjin To: , , CC: , , , , Subject: [PATCH] ACPICA: Fix use-after-free in acpi_ps_parse_aml() Date: Wed, 19 Oct 2022 15:34:43 +0800 Message-ID: <20221019073443.248215-1-chenzhongjin@huawei.com> X-Mailer: git-send-email 2.17.1 MIME-Version: 1.0 X-Originating-IP: [10.67.175.36] X-ClientProxiedBy: dggems704-chm.china.huawei.com (10.3.19.181) To dggpemm500013.china.huawei.com (7.185.36.172) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1747101052549199087?= X-GMAIL-MSGID: =?utf-8?q?1747101052549199087?= KASAN reports a use-after-free problem and causes kernel panic triggered by: modprobe acpiphp_ibm BUG: KASAN: use-after-free in acpi_ds_dump_method_stack (drivers/acpi/acpica/dsdebug.c:145) Read of size 8 at addr ffff888002f843f0 by task modprobe/519 CPU: 2 PID: 519 Comm: modprobe Not tainted 6.0.0+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) Call Trace: acpi_ds_dump_method_stack (drivers/acpi/acpica/dsdebug.c:145) acpi_ds_method_error (drivers/acpi/acpica/dsmethod.c:232) acpi_ps_parse_aml (drivers/acpi/acpica/psparse.c:607) ... Allocated by task 519: ... __kasan_kmalloc (mm/kasan/common.c:526) acpi_ds_create_walk_state (drivers/acpi/acpica/dswstate.c:519) acpi_ds_call_control_method (drivers/acpi/acpica/dsmethod.c:498) acpi_ps_parse_aml (drivers/acpi/acpica/psparse.c:607) ... Freed by task 519: ... __kmem_cache_free+0xb6/0x3c0 acpi_ds_delete_walk_state (drivers/acpi/acpica/dswstate.c:722) acpi_ds_call_control_method (drivers/acpi/acpica/dsmethod.c:586) acpi_ps_parse_aml (drivers/acpi/acpica/psparse.c:607) ... ---[ end Kernel panic - not syncing: Fatal exception ]--- In the error path in acpi_ps_parse_aml(): acpi_ds_call_control_method() acpi_ds_create_walk_state() acpi_ds_push_walk_state() # thread->walk_state_list = walk_state acpi_ds_init_aml_walk # *fail* goto cleanup: acpi_ds_delete_walk_state() # ACPI_FREE(walk_state) acpi_ds_method_error() acpi_ds_dump_method_stack() # using freed thread->walk_state_list Briefly, the walk_state is pushed to thread, and freed without being poped. Then it is used in acpi_ds_dump_method_stack() and causes use-after-free. Add acpi_ds_pop_walk_state(thread) to the error path to fix the problem. Fixes: 0bac4295526c ("ACPICA: Dispatcher: Move stack traversal code to dispatcher") Signed-off-by: Chen Zhongjin --- drivers/acpi/acpica/dsmethod.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/acpi/acpica/dsmethod.c b/drivers/acpi/acpica/dsmethod.c index ae2e768830bf..19da7fc73186 100644 --- a/drivers/acpi/acpica/dsmethod.c +++ b/drivers/acpi/acpica/dsmethod.c @@ -581,6 +581,7 @@ acpi_ds_call_control_method(struct acpi_thread_state *thread, acpi_ds_terminate_control_method(obj_desc, next_walk_state); acpi_ds_delete_walk_state(next_walk_state); + acpi_ds_pop_walk_state(thread); return_ACPI_STATUS(status); }