CVE-2022-50423

In the Linux kernel, the following vulnerability has been resolved:

ACPICA: Fix use-after-free in acpiutcopyipackageto_ipackage()

There is an use-after-free reported by KASAN:

BUG: KASAN: use-after-free in acpiutremovereference+0x3b/0x82 Read of size 1 at addr ffff888112afc460 by task modprobe/2111 CPU: 0 PID: 2111 Comm: modprobe Not tainted 6.1.0-rc7-dirty Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), Call Trace: <TASK> kasanreport+0xae/0xe0 acpiutremovereference+0x3b/0x82 acpiutcopyiobjecttoiobject+0x3be/0x3d5 acpidsstoreobjecttolocal+0x15d/0x3a0 acpiexstore+0x78d/0x7fd acpiexopcode1A1T1R+0xbe4/0xf9b acpipsparse_aml+0x217/0x8d5 ... </TASK>

The root cause of the problem is that the acpioperandobject is freed when acpiutwalkpackagetree() fails in acpiutcopyipackagetoipackage(), lead to repeated release in acpiutcopyiobjecttoiobject(). The problem was introduced by "8aa5e56eeb61" commit, this commit is to fix memory leak in acpiutcopyiobjecttoiobject(), repeatedly adding remove operation, lead to "acpioperand_object" used after free.

Fix it by removing acpiutremovereference() in acpiutcopyipackagetoipackage(). acpiutcopyipackagetoipackage() is called to copy an internal package object into another internal package object, when it fails, the memory of acpioperand_object should be freed by the caller.