Overview
About vulnerability
In the Linux kernel, the following vulnerability has been resolved:
ACPI: custom_method: fix potential use-after-free issue
In cm_write(), buf is always freed when reaching the end of the function. If the requested count is less than table.length, the allocated buffer will be freed but subsequent calls to cm_write() will still try to access it.
Remove the unconditional kfree(buf) at the end of the function and set the buf to NULL in the -EINVAL error path to match the rest of function.
Details
- Affected product:
- Ubuntu 16.04 ELS , Ubuntu 18.04 ELS
- Affected packages:
- linux-hwe @ 4.15.0 (+2 more)
In the Linux kernel, the following vulnerability has been resolved:
ACPI: custom_method: fix potential use-after-free issue
In cm_write(), buf is always freed when reaching the end of the function. If the requested count is less than table.length, the allocated buffer will be freed but subsequent calls to cm_write() will still try to access it.
Remove the unconditional kfree(buf) at the end of the function and set the buf to NULL in the -EINVAL error path to match the rest of function.