ACPICA: Avoid use of invalid pointers in returned object field
authorBob Moore <robert.moore@intel.com>
Thu, 10 Apr 2008 15:06:37 +0000 (19:06 +0400)
committerLen Brown <len.brown@intel.com>
Tue, 22 Apr 2008 18:29:21 +0000 (14:29 -0400)
During operand evaluation, ensure that the ReturnObj field is
cleared on error and only valid pointers are stored there.

Signed-off-by: Bob Moore <robert.moore@intel.com>
Signed-off-by: Alexey Starikovskiy <astarikovskiy@suse.de>
Signed-off-by: Len Brown <len.brown@intel.com>
drivers/acpi/executer/exoparg1.c
drivers/acpi/executer/exoparg2.c
drivers/acpi/executer/exoparg3.c
drivers/acpi/executer/exoparg6.c

index 252f10acbbccc3436a4def9c1ac305509fc6f0e1..ab5c03724527a829027c8684cac0dd8ed72cd76d 100644 (file)
@@ -121,6 +121,7 @@ acpi_status acpi_ex_opcode_0A_0T_1R(struct acpi_walk_state *walk_state)
 
        if ((ACPI_FAILURE(status)) || walk_state->result_obj) {
                acpi_ut_remove_reference(return_desc);
+               walk_state->result_obj = NULL;
        } else {
                /* Save the return value */
 
index 17e652e653799f97c9d88de6fd9e3d1a166f0ce3..81c02b12d3f224f9ca59e8af562969077de0d1c0 100644 (file)
@@ -241,10 +241,6 @@ acpi_status acpi_ex_opcode_2A_2T_1R(struct acpi_walk_state *walk_state)
                goto cleanup;
        }
 
-       /* Return the remainder */
-
-       walk_state->result_obj = return_desc1;
-
       cleanup:
        /*
         * Since the remainder is not returned indirectly, remove a reference to
@@ -259,6 +255,12 @@ acpi_status acpi_ex_opcode_2A_2T_1R(struct acpi_walk_state *walk_state)
                acpi_ut_remove_reference(return_desc1);
        }
 
+       /* Save return object (the remainder) on success */
+
+       else {
+               walk_state->result_obj = return_desc1;
+       }
+
        return_ACPI_STATUS(status);
 }
 
@@ -490,6 +492,7 @@ acpi_status acpi_ex_opcode_2A_1T_1R(struct acpi_walk_state *walk_state)
 
        if (ACPI_FAILURE(status)) {
                acpi_ut_remove_reference(return_desc);
+               walk_state->result_obj = NULL;
        }
 
        return_ACPI_STATUS(status);
@@ -583,8 +586,6 @@ acpi_status acpi_ex_opcode_2A_0T_1R(struct acpi_walk_state *walk_state)
                return_desc->integer.value = ACPI_INTEGER_MAX;
        }
 
-       walk_state->result_obj = return_desc;
-
       cleanup:
 
        /* Delete return object on error */
@@ -593,5 +594,11 @@ acpi_status acpi_ex_opcode_2A_0T_1R(struct acpi_walk_state *walk_state)
                acpi_ut_remove_reference(return_desc);
        }
 
+       /* Save return object on success */
+
+       else {
+               walk_state->result_obj = return_desc;
+       }
+
        return_ACPI_STATUS(status);
 }
index 7fe67cf82cee016e47f3699aee0b2eb1d57ab407..a573f5d260f72ee7660754fa91ba5fe7dc41dbe2 100644 (file)
@@ -260,6 +260,7 @@ acpi_status acpi_ex_opcode_3A_1T_1R(struct acpi_walk_state *walk_state)
 
        if (ACPI_FAILURE(status) || walk_state->result_obj) {
                acpi_ut_remove_reference(return_desc);
+               walk_state->result_obj = NULL;
        }
 
        /* Set the return object and exit */
index bd80a9cb3d6529bce2a2804800639e4d0578d93c..163b2b3d9ce2d4b10058fd71d2612fd8dde1ad27 100644 (file)
@@ -322,8 +322,6 @@ acpi_status acpi_ex_opcode_6A_0T_1R(struct acpi_walk_state * walk_state)
                goto cleanup;
        }
 
-       walk_state->result_obj = return_desc;
-
       cleanup:
 
        /* Delete return object on error */
@@ -332,5 +330,11 @@ acpi_status acpi_ex_opcode_6A_0T_1R(struct acpi_walk_state * walk_state)
                acpi_ut_remove_reference(return_desc);
        }
 
+       /* Save return object on success */
+
+       else {
+               walk_state->result_obj = return_desc;
+       }
+
        return_ACPI_STATUS(status);
 }