aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBob Moore <robert.moore@intel.com>2008-04-10 11:06:37 -0400
committerLen Brown <len.brown@intel.com>2008-04-22 14:29:21 -0400
commit4b6e16cf2bacbf328535097fa74f1494b1873c54 (patch)
tree5b81427d81577d7741d3d17dcc928a770decdbe0
parent4e3156b183aa087bc19804b3295c7c1a71f64752 (diff)
ACPICA: Avoid use of invalid pointers in returned object field
During operand evaluation, ensure that the ReturnObj field is cleared on error and only valid pointers are stored there. Signed-off-by: Bob Moore <robert.moore@intel.com> Signed-off-by: Alexey Starikovskiy <astarikovskiy@suse.de> Signed-off-by: Len Brown <len.brown@intel.com>
-rw-r--r--drivers/acpi/executer/exoparg1.c1
-rw-r--r--drivers/acpi/executer/exoparg2.c19
-rw-r--r--drivers/acpi/executer/exoparg3.c1
-rw-r--r--drivers/acpi/executer/exoparg6.c8
4 files changed, 21 insertions, 8 deletions
diff --git a/drivers/acpi/executer/exoparg1.c b/drivers/acpi/executer/exoparg1.c
index 252f10acbbcc..ab5c03724527 100644
--- a/drivers/acpi/executer/exoparg1.c
+++ b/drivers/acpi/executer/exoparg1.c
@@ -121,6 +121,7 @@ acpi_status acpi_ex_opcode_0A_0T_1R(struct acpi_walk_state *walk_state)
121 121
122 if ((ACPI_FAILURE(status)) || walk_state->result_obj) { 122 if ((ACPI_FAILURE(status)) || walk_state->result_obj) {
123 acpi_ut_remove_reference(return_desc); 123 acpi_ut_remove_reference(return_desc);
124 walk_state->result_obj = NULL;
124 } else { 125 } else {
125 /* Save the return value */ 126 /* Save the return value */
126 127
diff --git a/drivers/acpi/executer/exoparg2.c b/drivers/acpi/executer/exoparg2.c
index 17e652e65379..81c02b12d3f2 100644
--- a/drivers/acpi/executer/exoparg2.c
+++ b/drivers/acpi/executer/exoparg2.c
@@ -241,10 +241,6 @@ acpi_status acpi_ex_opcode_2A_2T_1R(struct acpi_walk_state *walk_state)
241 goto cleanup; 241 goto cleanup;
242 } 242 }
243 243
244 /* Return the remainder */
245
246 walk_state->result_obj = return_desc1;
247
248 cleanup: 244 cleanup:
249 /* 245 /*
250 * Since the remainder is not returned indirectly, remove a reference to 246 * Since the remainder is not returned indirectly, remove a reference to
@@ -259,6 +255,12 @@ acpi_status acpi_ex_opcode_2A_2T_1R(struct acpi_walk_state *walk_state)
259 acpi_ut_remove_reference(return_desc1); 255 acpi_ut_remove_reference(return_desc1);
260 } 256 }
261 257
258 /* Save return object (the remainder) on success */
259
260 else {
261 walk_state->result_obj = return_desc1;
262 }
263
262 return_ACPI_STATUS(status); 264 return_ACPI_STATUS(status);
263} 265}
264 266
@@ -490,6 +492,7 @@ acpi_status acpi_ex_opcode_2A_1T_1R(struct acpi_walk_state *walk_state)
490 492
491 if (ACPI_FAILURE(status)) { 493 if (ACPI_FAILURE(status)) {
492 acpi_ut_remove_reference(return_desc); 494 acpi_ut_remove_reference(return_desc);
495 walk_state->result_obj = NULL;
493 } 496 }
494 497
495 return_ACPI_STATUS(status); 498 return_ACPI_STATUS(status);
@@ -583,8 +586,6 @@ acpi_status acpi_ex_opcode_2A_0T_1R(struct acpi_walk_state *walk_state)
583 return_desc->integer.value = ACPI_INTEGER_MAX; 586 return_desc->integer.value = ACPI_INTEGER_MAX;
584 } 587 }
585 588
586 walk_state->result_obj = return_desc;
587
588 cleanup: 589 cleanup:
589 590
590 /* Delete return object on error */ 591 /* Delete return object on error */
@@ -593,5 +594,11 @@ acpi_status acpi_ex_opcode_2A_0T_1R(struct acpi_walk_state *walk_state)
593 acpi_ut_remove_reference(return_desc); 594 acpi_ut_remove_reference(return_desc);
594 } 595 }
595 596
597 /* Save return object on success */
598
599 else {
600 walk_state->result_obj = return_desc;
601 }
602
596 return_ACPI_STATUS(status); 603 return_ACPI_STATUS(status);
597} 604}
diff --git a/drivers/acpi/executer/exoparg3.c b/drivers/acpi/executer/exoparg3.c
index 7fe67cf82cee..a573f5d260f7 100644
--- a/drivers/acpi/executer/exoparg3.c
+++ b/drivers/acpi/executer/exoparg3.c
@@ -260,6 +260,7 @@ acpi_status acpi_ex_opcode_3A_1T_1R(struct acpi_walk_state *walk_state)
260 260
261 if (ACPI_FAILURE(status) || walk_state->result_obj) { 261 if (ACPI_FAILURE(status) || walk_state->result_obj) {
262 acpi_ut_remove_reference(return_desc); 262 acpi_ut_remove_reference(return_desc);
263 walk_state->result_obj = NULL;
263 } 264 }
264 265
265 /* Set the return object and exit */ 266 /* Set the return object and exit */
diff --git a/drivers/acpi/executer/exoparg6.c b/drivers/acpi/executer/exoparg6.c
index bd80a9cb3d65..163b2b3d9ce2 100644
--- a/drivers/acpi/executer/exoparg6.c
+++ b/drivers/acpi/executer/exoparg6.c
@@ -322,8 +322,6 @@ acpi_status acpi_ex_opcode_6A_0T_1R(struct acpi_walk_state * walk_state)
322 goto cleanup; 322 goto cleanup;
323 } 323 }
324 324
325 walk_state->result_obj = return_desc;
326
327 cleanup: 325 cleanup:
328 326
329 /* Delete return object on error */ 327 /* Delete return object on error */
@@ -332,5 +330,11 @@ acpi_status acpi_ex_opcode_6A_0T_1R(struct acpi_walk_state * walk_state)
332 acpi_ut_remove_reference(return_desc); 330 acpi_ut_remove_reference(return_desc);
333 } 331 }
334 332
333 /* Save return object on success */
334
335 else {
336 walk_state->result_obj = return_desc;
337 }
338
335 return_ACPI_STATUS(status); 339 return_ACPI_STATUS(status);
336} 340}