Date: Fri, 5 Nov 2010 19:50:09 +0000 (UTC) From: Jung-uk Kim <jkim@FreeBSD.org> To: cvs-src-old@freebsd.org Subject: cvs commit: src/sys/dev/acpica acpi_pci_link.c Message-ID: <201011051950.oA5JoML2000724@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
jkim 2010-11-05 19:50:09 UTC
FreeBSD src repository
Modified files:
sys/dev/acpica acpi_pci_link.c
Log:
SVN rev 214848 on 2010-11-05 19:50:09Z by jkim
Fix a use-after-free bug for extended IRQ resource[1]. When _PRS buffer is
copied as a template for _SRS, a string pointer for descriptor name is also
copied and it becomes stale as soon as it gets de-allocated[2]. Now _CRS is
used as a template for _SRS as ACPI specification suggests if it is usable.
The template from _PRS is still utilized but only when _CRS is not available
or broken. To avoid use-after-free the problem in this case, however, only
mandatory fields are copied, optional data is removed, and structure length
is adjusted accordingly.
Reported by: hps[1]
Analyzed by: avg[2]
Tested by: hps
Revision Changes Path
1.60 +34 -44 src/sys/dev/acpica/acpi_pci_link.c
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201011051950.oA5JoML2000724>