In the Linux kernel, the following vulnerability has been resolved: ACPI: custom_method: fix potential use-after-free issue In cm_write(), buf is always freed when reaching the end of the function. If the requested count is less than table.length, the allocated buffer will be freed but subsequent calls to cm_write() will still try to access it. Remove the unconditional kfree(buf) at the end of the function and set the buf to NULL in the -EINVAL error path to match the rest of function.
| Product | Vendor | Version |
|---|---|---|
| Linux | Linux | n/a |
| Linux | Linux | All versions up to and including v1.8.3 |
| Linux | Linux | 2008 R2 for x64-based Systems Service Pack 1 (Core installation) |
| Linux | Linux | 2008 for 32-bit Systems Service Pack 2 |