Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4b6e16cf authored by Bob Moore's avatar Bob Moore Committed by Len Brown
Browse files

ACPICA: Avoid use of invalid pointers in returned object field 



During operand evaluation, ensure that the ReturnObj field is
cleared on error and only valid pointers are stored there.

Signed-off-by: default avatarBob Moore <robert.moore@intel.com>
Signed-off-by: default avatarAlexey Starikovskiy <astarikovskiy@suse.de>
Signed-off-by: default avatarLen Brown <len.brown@intel.com>
parent 4e3156b1

drivers/acpi/executer/exoparg1.c

+1 −0
Original line number Diff line number Diff line
@@ -121,6 +121,7 @@ acpi_status acpi_ex_opcode_0A_0T_1R(struct acpi_walk_state *walk_state) 


	if ((ACPI_FAILURE(status)) || walk_state->result_obj) {

		acpi_ut_remove_reference(return_desc);

		walk_state->result_obj = NULL;

	} else {

		/* Save the return value */

drivers/acpi/executer/exoparg2.c

+13 −6
Original line number Diff line number Diff line
@@ -241,10 +241,6 @@ acpi_status acpi_ex_opcode_2A_2T_1R(struct acpi_walk_state *walk_state) 
		goto cleanup;

	}



	/* Return the remainder */



	walk_state->result_obj = return_desc1;



      cleanup:

	/*

	 * Since the remainder is not returned indirectly, remove a reference to
@@ -259,6 +255,12 @@ acpi_status acpi_ex_opcode_2A_2T_1R(struct acpi_walk_state *walk_state) 
		acpi_ut_remove_reference(return_desc1);

	}



	/* Save return object (the remainder) on success */



	else {

		walk_state->result_obj = return_desc1;

	}



	return_ACPI_STATUS(status);

}
@@ -490,6 +492,7 @@ acpi_status acpi_ex_opcode_2A_1T_1R(struct acpi_walk_state *walk_state) 


	if (ACPI_FAILURE(status)) {

		acpi_ut_remove_reference(return_desc);

		walk_state->result_obj = NULL;

	}



	return_ACPI_STATUS(status);
@@ -583,8 +586,6 @@ acpi_status acpi_ex_opcode_2A_0T_1R(struct acpi_walk_state *walk_state) 
		return_desc->integer.value = ACPI_INTEGER_MAX;

	}



	walk_state->result_obj = return_desc;



      cleanup:



	/* Delete return object on error */
@@ -593,5 +594,11 @@ acpi_status acpi_ex_opcode_2A_0T_1R(struct acpi_walk_state *walk_state) 
		acpi_ut_remove_reference(return_desc);

	}



	/* Save return object on success */



	else {

		walk_state->result_obj = return_desc;

	}



	return_ACPI_STATUS(status);

}

drivers/acpi/executer/exoparg3.c

+1 −0
Original line number Diff line number Diff line
@@ -260,6 +260,7 @@ acpi_status acpi_ex_opcode_3A_1T_1R(struct acpi_walk_state *walk_state) 


	if (ACPI_FAILURE(status) || walk_state->result_obj) {

		acpi_ut_remove_reference(return_desc);

		walk_state->result_obj = NULL;

	}



	/* Set the return object and exit */

drivers/acpi/executer/exoparg6.c

+6 −2
Original line number Diff line number Diff line
@@ -322,8 +322,6 @@ acpi_status acpi_ex_opcode_6A_0T_1R(struct acpi_walk_state * walk_state) 
		goto cleanup;

	}



	walk_state->result_obj = return_desc;



      cleanup:



	/* Delete return object on error */
@@ -332,5 +330,11 @@ acpi_status acpi_ex_opcode_6A_0T_1R(struct acpi_walk_state * walk_state) 
		acpi_ut_remove_reference(return_desc);

	}



	/* Save return object on success */



	else {

		walk_state->result_obj = return_desc;

	}



	return_ACPI_STATUS(status);

}