Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ba578732 authored by Mariusz Kozlowski's avatar Mariusz Kozlowski Committed by David S. Miller
Browse files

ide: fix use after free in ide-acpi 



out_obj points to kfreed memory and we dereference that pointer in
DEBPRINT/printk.

Signed-off-by: default avatarMariusz Kozlowski <mk@lab.zgora.pl>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent dd8717da

drivers/ide/ide-acpi.c

+2 −2
Original line number Diff line number Diff line
@@ -416,21 +416,21 @@ void ide_acpi_get_timing(ide_hwif_t *hwif) 


	out_obj = output.pointer;

	if (out_obj->type != ACPI_TYPE_BUFFER) {

		kfree(output.pointer);

		DEBPRINT("Run _GTM: error: "

		       "expected object type of ACPI_TYPE_BUFFER, "

		       "got 0x%x\n", out_obj->type);

		kfree(output.pointer);

		return;

	}



	if (!out_obj->buffer.length || !out_obj->buffer.pointer ||

	    out_obj->buffer.length != sizeof(struct GTM_buffer)) {

		kfree(output.pointer);

		printk(KERN_ERR

			"%s: unexpected _GTM length (0x%x)[should be 0x%zx] or "

			"addr (0x%p)\n",

			__func__, out_obj->buffer.length,

			sizeof(struct GTM_buffer), out_obj->buffer.pointer);

		kfree(output.pointer);

		return;

	}