Module Name: src
Committed By: chs
Date: Mon Jan 13 00:19:43 UTC 2020
Modified Files:
src/sys/dev/acpi: acpi_pci_link.c
Log Message:
apply FreeBSD revs r214848 and r214849:
r214849 | jkim | 2010-11-05 13:24:26 -0700 (Fri, 05 Nov 2010) | 2 lines
Add a forgotten change from the previous commit.
r214848 | jkim | 2010-11-05 12:50:09 -0700 (Fri, 05 Nov 2010) | 13 lines
Fix a use-after-free bug for extended IRQ resource[1]. When _PRS buffer is
copied as a template for _SRS, a string pointer for descriptor name is also
copied and it becomes stale as soon as it gets de-allocated[2]. Now _CRS is
used as a template for _SRS as ACPI specification suggests if it is usable.
The template from _PRS is still utilized but only when _CRS is not available
or broken. To avoid use-after-free the problem in this case, however, only
mandatory fields are copied, optional data is removed, and structure length
is adjusted accordingly.
Reported by: hps[1]
Analyzed by: avg[2]
Tested by: hps
This also fixes reading past the end of a structure as detected by KASAN.
To generate a diff of this commit:
cvs rdiff -u -r1.24 -r1.25 src/sys/dev/acpi/acpi_pci_link.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
