Commit 4b6e16cf authored by Bob Moore's avatar Bob Moore Committed by Len Brown

ACPICA: Avoid use of invalid pointers in returned object field

During operand evaluation, ensure that the ReturnObj field is
cleared on error and only valid pointers are stored there.
Signed-off-by: default avatarBob Moore <robert.moore@intel.com>
Signed-off-by: default avatarAlexey Starikovskiy <astarikovskiy@suse.de>
Signed-off-by: default avatarLen Brown <len.brown@intel.com>
parent 4e3156b1
...@@ -121,6 +121,7 @@ acpi_status acpi_ex_opcode_0A_0T_1R(struct acpi_walk_state *walk_state) ...@@ -121,6 +121,7 @@ acpi_status acpi_ex_opcode_0A_0T_1R(struct acpi_walk_state *walk_state)
if ((ACPI_FAILURE(status)) || walk_state->result_obj) { if ((ACPI_FAILURE(status)) || walk_state->result_obj) {
acpi_ut_remove_reference(return_desc); acpi_ut_remove_reference(return_desc);
walk_state->result_obj = NULL;
} else { } else {
/* Save the return value */ /* Save the return value */
......
...@@ -241,10 +241,6 @@ acpi_status acpi_ex_opcode_2A_2T_1R(struct acpi_walk_state *walk_state) ...@@ -241,10 +241,6 @@ acpi_status acpi_ex_opcode_2A_2T_1R(struct acpi_walk_state *walk_state)
goto cleanup; goto cleanup;
} }
/* Return the remainder */
walk_state->result_obj = return_desc1;
cleanup: cleanup:
/* /*
* Since the remainder is not returned indirectly, remove a reference to * Since the remainder is not returned indirectly, remove a reference to
...@@ -259,6 +255,12 @@ acpi_status acpi_ex_opcode_2A_2T_1R(struct acpi_walk_state *walk_state) ...@@ -259,6 +255,12 @@ acpi_status acpi_ex_opcode_2A_2T_1R(struct acpi_walk_state *walk_state)
acpi_ut_remove_reference(return_desc1); acpi_ut_remove_reference(return_desc1);
} }
/* Save return object (the remainder) on success */
else {
walk_state->result_obj = return_desc1;
}
return_ACPI_STATUS(status); return_ACPI_STATUS(status);
} }
...@@ -490,6 +492,7 @@ acpi_status acpi_ex_opcode_2A_1T_1R(struct acpi_walk_state *walk_state) ...@@ -490,6 +492,7 @@ acpi_status acpi_ex_opcode_2A_1T_1R(struct acpi_walk_state *walk_state)
if (ACPI_FAILURE(status)) { if (ACPI_FAILURE(status)) {
acpi_ut_remove_reference(return_desc); acpi_ut_remove_reference(return_desc);
walk_state->result_obj = NULL;
} }
return_ACPI_STATUS(status); return_ACPI_STATUS(status);
...@@ -583,8 +586,6 @@ acpi_status acpi_ex_opcode_2A_0T_1R(struct acpi_walk_state *walk_state) ...@@ -583,8 +586,6 @@ acpi_status acpi_ex_opcode_2A_0T_1R(struct acpi_walk_state *walk_state)
return_desc->integer.value = ACPI_INTEGER_MAX; return_desc->integer.value = ACPI_INTEGER_MAX;
} }
walk_state->result_obj = return_desc;
cleanup: cleanup:
/* Delete return object on error */ /* Delete return object on error */
...@@ -593,5 +594,11 @@ acpi_status acpi_ex_opcode_2A_0T_1R(struct acpi_walk_state *walk_state) ...@@ -593,5 +594,11 @@ acpi_status acpi_ex_opcode_2A_0T_1R(struct acpi_walk_state *walk_state)
acpi_ut_remove_reference(return_desc); acpi_ut_remove_reference(return_desc);
} }
/* Save return object on success */
else {
walk_state->result_obj = return_desc;
}
return_ACPI_STATUS(status); return_ACPI_STATUS(status);
} }
...@@ -260,6 +260,7 @@ acpi_status acpi_ex_opcode_3A_1T_1R(struct acpi_walk_state *walk_state) ...@@ -260,6 +260,7 @@ acpi_status acpi_ex_opcode_3A_1T_1R(struct acpi_walk_state *walk_state)
if (ACPI_FAILURE(status) || walk_state->result_obj) { if (ACPI_FAILURE(status) || walk_state->result_obj) {
acpi_ut_remove_reference(return_desc); acpi_ut_remove_reference(return_desc);
walk_state->result_obj = NULL;
} }
/* Set the return object and exit */ /* Set the return object and exit */
......
...@@ -322,8 +322,6 @@ acpi_status acpi_ex_opcode_6A_0T_1R(struct acpi_walk_state * walk_state) ...@@ -322,8 +322,6 @@ acpi_status acpi_ex_opcode_6A_0T_1R(struct acpi_walk_state * walk_state)
goto cleanup; goto cleanup;
} }
walk_state->result_obj = return_desc;
cleanup: cleanup:
/* Delete return object on error */ /* Delete return object on error */
...@@ -332,5 +330,11 @@ acpi_status acpi_ex_opcode_6A_0T_1R(struct acpi_walk_state * walk_state) ...@@ -332,5 +330,11 @@ acpi_status acpi_ex_opcode_6A_0T_1R(struct acpi_walk_state * walk_state)
acpi_ut_remove_reference(return_desc); acpi_ut_remove_reference(return_desc);
} }
/* Save return object on success */
else {
walk_state->result_obj = return_desc;
}
return_ACPI_STATUS(status); return_ACPI_STATUS(status);
} }
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment