lk/linux-kernel-test
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

ide: fix use after free in ide-acpi

Browse Source 
out_obj points to kfreed memory and we dereference that pointer in
DEBPRINT/printk.

Signed-off-by: Mariusz Kozlowski <mk@lab.zgora.pl>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Mariusz Kozlowski
2010-11-22 11:37:21 -08:00
committed by David S. Miller
parent dd8717da6d
commit ba5787323d
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
drivers/ide/ide-acpi.c
View File

@@ -416,21 +416,21 @@ void ide_acpi_get_timing(ide_hwif_t *hwif)
out_obj = output.pointer; out_obj = output.pointer;
if (out_obj->type != ACPI_TYPE_BUFFER) { if (out_obj->type != ACPI_TYPE_BUFFER) {
kfree(output.pointer);
DEBPRINT("Run _GTM: error: " DEBPRINT("Run _GTM: error: "
"expected object type of ACPI_TYPE_BUFFER, " "expected object type of ACPI_TYPE_BUFFER, "
"got 0x%x\n", out_obj->type); "got 0x%x\n", out_obj->type);
kfree(output.pointer);
return; return;
} }
if (!out_obj->buffer.length || !out_obj->buffer.pointer || if (!out_obj->buffer.length || !out_obj->buffer.pointer ||
out_obj->buffer.length != sizeof(struct GTM_buffer)) { out_obj->buffer.length != sizeof(struct GTM_buffer)) {
kfree(output.pointer);
printk(KERN_ERR printk(KERN_ERR
"%s: unexpected _GTM length (0x%x)[should be 0x%zx] or " "%s: unexpected _GTM length (0x%x)[should be 0x%zx] or "
"addr (0x%p)\n", "addr (0x%p)\n",
__func__, out_obj->buffer.length, __func__, out_obj->buffer.length,
sizeof(struct GTM_buffer), out_obj->buffer.pointer); sizeof(struct GTM_buffer), out_obj->buffer.pointer);
kfree(output.pointer);
return; return;
} }