Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="US-ASCII"
MIME-Version: 1.0
Date: Sun, 8 Mar 2020 11:03:19 +0000
From: "Martin Husemann" <martin@netbsd.org>
Subject: CVS commit: [netbsd-9] src/sys/dev/acpi
To: source-changes@NetBSD.org
Message-Id: <20200308110319.F0E6AFB27@cvs.NetBSD.org>
Sender: source-changes-owner@NetBSD.org
Precedence: bulk
Reply-To: source-changes-d@NetBSD.org
Mail-Reply-To: "Martin Husemann" <martin@netbsd.org>
Mail-Followup-To: source-changes-d@NetBSD.org

Module Name:	src
Committed By:	martin
Date:		Sun Mar  8 11:03:19 UTC 2020

Modified Files:
	src/sys/dev/acpi [netbsd-9]: acpi_pci_link.c

Log Message:
Pull up following revision(s) (requested by chs in ticket #765):

	sys/dev/acpi/acpi_pci_link.c: revision 1.25

apply FreeBSD revs r214848 and r214849:

    r214849 | jkim | 2010-11-05 13:24:26 -0700 (Fri, 05 Nov 2010) | 2 lines
    Add a forgotten change from the previous commit.
    r214848 | jkim | 2010-11-05 12:50:09 -0700 (Fri, 05 Nov 2010) | 13 lines

    Fix a use-after-free bug for extended IRQ resource[1].  When _PRS buffer is
    copied as a template for _SRS, a string pointer for descriptor name is also
    copied and it becomes stale as soon as it gets de-allocated[2].  Now _CRS is
    used as a template for _SRS as ACPI specification suggests if it is usable.

    The template from _PRS is still utilized but only when _CRS is not available
    or broken.  To avoid use-after-free the problem in this case, however, only
    mandatory fields are copied, optional data is removed, and structure length
    is adjusted accordingly.

    Reported by:    hps[1]
    Analyzed by:    avg[2]
    Tested by:      hps

This also fixes reading past the end of a structure as detected by KASAN.


To generate a diff of this commit:
cvs rdiff -u -r1.22 -r1.22.26.1 src/sys/dev/acpi/acpi_pci_link.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.