diff options
| author | ikaros <void0red@gmail.com> | 2026-05-27 21:10:18 +0300 |
|---|---|---|
| committer | Rafael J. Wysocki <rafael.j.wysocki@intel.com> | 2026-05-27 21:18:47 +0300 |
| commit | bdc35754012906dbf094be104b103ca3adfef6f7 (patch) | |
| tree | 84fdad3fe8234ed3712372f994f05f479f243877 | |
| parent | d27d48a528e437aed690f977e69a6fe73fe82ab5 (diff) | |
| download | linux-bdc35754012906dbf094be104b103ca3adfef6f7.tar.xz | |
ACPICA: add boundary checks in two places
Add boundary checks in acpi_ps_get_next_namestring() and
acpi_ps_peek_opcode() to prevent out-of-bounds access.
Link: https://github.com/acpica/acpica/commit/cfdc96896d8d
Signed-off-by: ikaros <void0red@gmail.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Link: https://patch.msgid.link/5180044.0VBMTVartN@rafael.j.wysocki
| -rw-r--r-- | drivers/acpi/acpica/psargs.c | 18 | ||||
| -rw-r--r-- | drivers/acpi/acpica/psparse.c | 6 |
2 files changed, 23 insertions, 1 deletions
diff --git a/drivers/acpi/acpica/psargs.c b/drivers/acpi/acpica/psargs.c index 95d540bda4fb..4643c839df7f 100644 --- a/drivers/acpi/acpica/psargs.c +++ b/drivers/acpi/acpica/psargs.c @@ -148,10 +148,16 @@ char *acpi_ps_get_next_namestring(struct acpi_parse_state *parser_state) /* Point past any namestring prefix characters (backslash or carat) */ - while (ACPI_IS_ROOT_PREFIX(*end) || ACPI_IS_PARENT_PREFIX(*end)) { + while (end < parser_state->aml_end && + (ACPI_IS_ROOT_PREFIX(*end) || ACPI_IS_PARENT_PREFIX(*end))) { end++; } + if (end >= parser_state->aml_end) { + parser_state->aml = parser_state->aml_end; + return_PTR(NULL); + } + /* Decode the path prefix character */ switch (*end) { @@ -176,6 +182,11 @@ char *acpi_ps_get_next_namestring(struct acpi_parse_state *parser_state) /* Multiple name segments, 4 chars each, count in next byte */ + if ((end + 1) >= parser_state->aml_end) { + parser_state->aml = parser_state->aml_end; + return_PTR(NULL); + } + end += 2 + (*(end + 1) * ACPI_NAMESEG_SIZE); break; @@ -187,6 +198,11 @@ char *acpi_ps_get_next_namestring(struct acpi_parse_state *parser_state) break; } + if (end > parser_state->aml_end) { + parser_state->aml = parser_state->aml_end; + return_PTR(NULL); + } + parser_state->aml = end; return_PTR((char *)start); } diff --git a/drivers/acpi/acpica/psparse.c b/drivers/acpi/acpica/psparse.c index 29b57d2c4cc4..42ec8abef626 100644 --- a/drivers/acpi/acpica/psparse.c +++ b/drivers/acpi/acpica/psparse.c @@ -70,6 +70,9 @@ u16 acpi_ps_peek_opcode(struct acpi_parse_state * parser_state) u16 opcode; aml = parser_state->aml; + if (aml >= parser_state->aml_end) { + return (0xFFFF); + } opcode = (u16) ACPI_GET8(aml); if (opcode == AML_EXTENDED_PREFIX) { @@ -77,6 +80,9 @@ u16 acpi_ps_peek_opcode(struct acpi_parse_state * parser_state) /* Extended opcode, get the second opcode byte */ aml++; + if (aml >= parser_state->aml_end) { + return (0xFFFF); + } opcode = (u16) ((opcode << 8) | ACPI_GET8(aml)); } |