From: ikaros <void0red@gmail.com>
Add boundary checks in acpi_ps_get_next_field() to prevent out-of-bounds
access.
Link: https://github.com/acpica/acpica/commit/c39183ea84bc
Signed-off-by: ikaros <void0red@gmail.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
---
drivers/acpi/acpica/psargs.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/drivers/acpi/acpica/psargs.c b/drivers/acpi/acpica/psargs.c
index 87d32fbba0a6..3526ea109414 100644
--- a/drivers/acpi/acpica/psargs.c
+++ b/drivers/acpi/acpica/psargs.c
@@ -491,6 +491,10 @@ static union acpi_parse_object *acpi_ps_get_next_field(struct acpi_parse_state
ASL_CV_CAPTURE_COMMENTS_ONLY(parser_state);
aml = parser_state->aml;
+ if (aml >= parser_state->aml_end) {
+ return_PTR(NULL);
+ }
+
/* Determine field type */
switch (ACPI_GET8(parser_state->aml)) {
@@ -539,6 +543,11 @@ static union acpi_parse_object *acpi_ps_get_next_field(struct acpi_parse_state
/* Get the 4-character name */
+ if ((parser_state->aml + ACPI_NAMESEG_SIZE) >
+ parser_state->aml_end) {
+ acpi_ps_free_op(field);
+ return_PTR(NULL);
+ }
ACPI_MOVE_32_TO_32(&name, parser_state->aml);
acpi_ps_set_name(field, name);
parser_state->aml += ACPI_NAMESEG_SIZE;
@@ -584,6 +593,10 @@ static union acpi_parse_object *acpi_ps_get_next_field(struct acpi_parse_state
/* Get the two bytes (Type/Attribute) */
+ if ((parser_state->aml + 2) > parser_state->aml_end) {
+ acpi_ps_free_op(field);
+ return_PTR(NULL);
+ }
access_type = ACPI_GET8(parser_state->aml);
parser_state->aml++;
access_attribute = ACPI_GET8(parser_state->aml);
@@ -595,6 +608,10 @@ static union acpi_parse_object *acpi_ps_get_next_field(struct acpi_parse_state
/* This opcode has a third byte, access_length */
if (opcode == AML_INT_EXTACCESSFIELD_OP) {
+ if (parser_state->aml >= parser_state->aml_end) {
+ acpi_ps_free_op(field);
+ return_PTR(NULL);
+ }
access_length = ACPI_GET8(parser_state->aml);
parser_state->aml++;
--
2.51.0