Executer: Fix the REFCLASS_REFOF case in AcpiExOpcode_1A_0T_1R ()

If Operand[0] is a reference of the ACPI_REFCLASS_REFOF class, AcpiExOpcode_1A_0T_1R () calls AcpiNsGetAttachedObject () to obtain ReturnDesc which may require additional resolution with the help of AcpiExReadDataFromField (). If the latter fails, the reference counter of the original ReturnDesc is decremented which is incorrect, because AcpiNsGetAttachedObject () does not increment the reference counter of the object returned by it. This issue may lead to premature deletion of the attached object while it is still attached and a use-after-free and crash in the host OS. For example, this may happen when on evaluation of RefOf() a local region field where there is no registered handler for the given Operation Region. Fix it by making AcpiExOpcode_1A_0T_1R () return Status right away after a AcpiExReadDataFromField () failure. Link: #685 Reported-by: Lenny Szubowicz <lszubowi@redhat.com> Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
acpica · Nov 10, 2021 · d984f12 · d984f12
1 parent 0420852
commit d984f12
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/source/components/executer/exoparg1.c b/source/components/executer/exoparg1.c
@@ -1193,7 +1193,7 @@ AcpiExOpcode_1A_0T_1R (
                             WalkState, ReturnDesc, &TempDesc);
                         if (ACPI_FAILURE (Status))
                         {
-                            goto Cleanup;
+                            return_ACPI_STATUS (Status);
                         }
 
                         ReturnDesc = TempDesc;