Home Explore Help
Register Sign In
phyus
/
linux-vybrid_public
8
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

ACPICA: Avoid use of invalid pointers in returned object field

During operand evaluation, ensure that the ReturnObj field is
cleared on error and only valid pointers are stored there.

Signed-off-by: Bob Moore <robert.moore@intel.com>
Signed-off-by: Alexey Starikovskiy <astarikovskiy@suse.de>
Signed-off-by: Len Brown <len.brown@intel.com>
Bob Moore 17 years ago
parent
4e3156b183
commit
4b6e16cf2b
4 changed files with 21 additions and 8 deletions
Split View Show Diff Stats
  1. 1 0
      drivers/acpi/executer/exoparg1.c
  2. 13 6
      drivers/acpi/executer/exoparg2.c
  3. 1 0
      drivers/acpi/executer/exoparg3.c
  4. 6 2
      drivers/acpi/executer/exoparg6.c

+ 1 - 0
drivers/acpi/executer/exoparg1.c
View File 

@@ -121,6 +121,7 @@ acpi_status acpi_ex_opcode_0A_0T_1R(struct acpi_walk_state *walk_state)
 
 
 	if ((ACPI_FAILURE(status)) || walk_state->result_obj) {
 
 		acpi_ut_remove_reference(return_desc);
 
+		walk_state->result_obj = NULL;
 
 	} else {
 
 		/* Save the return value */

+ 13 - 6
drivers/acpi/executer/exoparg2.c
View File 

@@ -241,10 +241,6 @@ acpi_status acpi_ex_opcode_2A_2T_1R(struct acpi_walk_state *walk_state)
 
 		goto cleanup;
 
 	}
 
 
-	/* Return the remainder */
 
-
 
-	walk_state->result_obj = return_desc1;
 
-
 
       cleanup:
 
 	/*
 
 	 * Since the remainder is not returned indirectly, remove a reference to
 
@@ -259,6 +255,12 @@ acpi_status acpi_ex_opcode_2A_2T_1R(struct acpi_walk_state *walk_state)
 
 		acpi_ut_remove_reference(return_desc1);
 
 	}
 
 
+	/* Save return object (the remainder) on success */
 
+
 
+	else {
 
+		walk_state->result_obj = return_desc1;
 
+	}
 
+
 
 	return_ACPI_STATUS(status);
 
 }
 
 
@@ -490,6 +492,7 @@ acpi_status acpi_ex_opcode_2A_1T_1R(struct acpi_walk_state *walk_state)
 
 
 	if (ACPI_FAILURE(status)) {
 
 		acpi_ut_remove_reference(return_desc);
 
+		walk_state->result_obj = NULL;
 
 	}
 
 
 	return_ACPI_STATUS(status);
 
@@ -583,8 +586,6 @@ acpi_status acpi_ex_opcode_2A_0T_1R(struct acpi_walk_state *walk_state)
 
 		return_desc->integer.value = ACPI_INTEGER_MAX;
 
 	}
 
 
-	walk_state->result_obj = return_desc;
 
-
 
       cleanup:
 
 
 	/* Delete return object on error */
 
@@ -593,5 +594,11 @@ acpi_status acpi_ex_opcode_2A_0T_1R(struct acpi_walk_state *walk_state)
 
 		acpi_ut_remove_reference(return_desc);
 
 	}
 
 
+	/* Save return object on success */
 
+
 
+	else {
 
+		walk_state->result_obj = return_desc;
 
+	}
 
+
 
 	return_ACPI_STATUS(status);
 
 }

+ 1 - 0
drivers/acpi/executer/exoparg3.c
View File 

@@ -260,6 +260,7 @@ acpi_status acpi_ex_opcode_3A_1T_1R(struct acpi_walk_state *walk_state)
 
 
 	if (ACPI_FAILURE(status) || walk_state->result_obj) {
 
 		acpi_ut_remove_reference(return_desc);
 
+		walk_state->result_obj = NULL;
 
 	}
 
 
 	/* Set the return object and exit */

+ 6 - 2
drivers/acpi/executer/exoparg6.c
View File 

@@ -322,8 +322,6 @@ acpi_status acpi_ex_opcode_6A_0T_1R(struct acpi_walk_state * walk_state)
 
 		goto cleanup;
 
 	}
 
 
-	walk_state->result_obj = return_desc;
 
-
 
       cleanup:
 
 
 	/* Delete return object on error */
 
@@ -332,5 +330,11 @@ acpi_status acpi_ex_opcode_6A_0T_1R(struct acpi_walk_state * walk_state)
 
 		acpi_ut_remove_reference(return_desc);
 
 	}
 
 
+	/* Save return object on success */
 
+
 
+	else {
 
+		walk_state->result_obj = return_desc;
 
+	}
 
+
 
 	return_ACPI_STATUS(status);
 
 }