From: ikaros <void0red@gmail.com>
Enhance buffer validation in acpi_ut_walk_aml_resources() to prevent
buffer overflows.
Link: https://github.com/acpica/acpica/commit/975cb20c7992
Signed-off-by: ikaros <void0red@gmail.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
---
drivers/acpi/acpica/utresrc.c | 30 ++++++++++++++++++++++++++++++
1 file changed, 30 insertions(+)
diff --git a/drivers/acpi/acpica/utresrc.c b/drivers/acpi/acpica/utresrc.c
index e1cc3d348750..86ebd9fb869a 100644
--- a/drivers/acpi/acpica/utresrc.c
+++ b/drivers/acpi/acpica/utresrc.c
@@ -165,6 +165,28 @@ acpi_ut_walk_aml_resources(struct acpi_walk_state *walk_state,
/* Walk the byte list, abort on any invalid descriptor type or length */
while (aml < end_aml) {
+ /*
+ * Validate that the remaining buffer space can hold enough
+ * bytes to safely access fields during validation.
+ * For large resource descriptors (bit 7 set), we need enough
+ * bytes to access the Type field in serial_bus resources.
+ * Small resource descriptors only need sizeof(struct aml_resource_end_tag).
+ */
+ if ((acpi_size)(end_aml - aml) <
+ sizeof(struct aml_resource_end_tag)) {
+ return_ACPI_STATUS(AE_AML_BUFFER_LENGTH);
+ }
+
+ /*
+ * For large resource descriptors, ensure enough space for
+ * the header plus serial_bus Type field access.
+ */
+ if ((ACPI_GET8(aml) & ACPI_RESOURCE_NAME_LARGE) &&
+ ((acpi_size)(end_aml - aml) <
+ ACPI_OFFSET(struct aml_resource_common_serialbus,
+ type) + 1)) {
+ return_ACPI_STATUS(AE_AML_BUFFER_LENGTH);
+ }
/* Validate the Resource Type and Resource Length */
@@ -182,6 +204,14 @@ acpi_ut_walk_aml_resources(struct acpi_walk_state *walk_state,
length = acpi_ut_get_descriptor_length(aml);
+ /*
+ * Validate that the descriptor length doesn't exceed the
+ * remaining buffer size to prevent reading beyond the end.
+ */
+ if (length > (acpi_size)(end_aml - aml)) {
+ return_ACPI_STATUS(AE_AML_BUFFER_LENGTH);
+ }
+
/* Invoke the user function */
if (user_function) {
--
2.51.0