ACPICA: Fix error code path in acpi_ds_call_control_method()
CVE-2022-50411
What is CVE-2022-50411?
In the Linux kernel, the following vulnerability has been resolved:
ACPICA: Fix error code path in acpi_ds_call_control_method()
A use-after-free in acpi_ps_parse_aml() after a failing invocaion of acpi_ds_call_control_method() is reported by KASAN [1] and code inspection reveals that next_walk_state pushed to the thread by acpi_ds_create_walk_state() is freed on errors, but it is not popped from the thread beforehand. Thus acpi_ds_get_current_walk_state() called by acpi_ps_parse_aml() subsequently returns it as the new walk state which is incorrect.
To address this, make acpi_ds_call_control_method() call acpi_ds_pop_walk_state() to pop next_walk_state from the thread before returning an error.
Affected Version(s)
Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 38e251d356a01b61a86cb35213cafd7e8fe7090c
Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 2deb42c4f9776e59bee247c14af9c5e8c05ca9a6