ACPICA: Enhance buffer validation in acpi_ut_walk_aml_resources()

Enhance buffer validation in acpi_ut_walk_aml_resources() to prevent
buffer overflows.

Link: https://github.com/acpica/acpica/commit/975cb20c7992
Signed-off-by: ikaros <void0red@gmail.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Link: https://patch.msgid.link/2481429.NG923GbCHz@rafael.j.wysocki

diff --git a/drivers/acpi/acpica/utresrc.c b/drivers/acpi/acpica/utresrc.c
index e1cc3d3487508ccc82dec447b58aa0631a24d736..86ebd9fb869af77cfc648c7d848df2fc3ee2b72c 100644 (file)
--- a/drivers/acpi/acpica/utresrc.c
+++ b/drivers/acpi/acpica/utresrc.c
@@ -165,6 +165,28 @@ acpi_ut_walk_aml_resources(struct acpi_walk_state *walk_state,
        /* Walk the byte list, abort on any invalid descriptor type or length */
 
        while (aml < end_aml) {
+               /*
+                * Validate that the remaining buffer space can hold enough
+                * bytes to safely access fields during validation.
+                * For large resource descriptors (bit 7 set), we need enough
+                * bytes to access the Type field in serial_bus resources.
+                * Small resource descriptors only need sizeof(struct aml_resource_end_tag).
+                */
+               if ((acpi_size)(end_aml - aml) <
+                   sizeof(struct aml_resource_end_tag)) {
+                       return_ACPI_STATUS(AE_AML_BUFFER_LENGTH);
+               }
+
+               /*
+                * For large resource descriptors, ensure enough space for
+                * the header plus serial_bus Type field access.
+                */
+               if ((ACPI_GET8(aml) & ACPI_RESOURCE_NAME_LARGE) &&
+                   ((acpi_size)(end_aml - aml) <
+                    ACPI_OFFSET(struct aml_resource_common_serialbus,
+                                type) + 1)) {
+                       return_ACPI_STATUS(AE_AML_BUFFER_LENGTH);
+               }
 
                /* Validate the Resource Type and Resource Length */
 
@@ -182,6 +204,14 @@ acpi_ut_walk_aml_resources(struct acpi_walk_state *walk_state,
 
                length = acpi_ut_get_descriptor_length(aml);
 
+               /*
+                * Validate that the descriptor length doesn't exceed the
+                * remaining buffer size to prevent reading beyond the end.
+                */
+               if (length > (acpi_size)(end_aml - aml)) {
+                       return_ACPI_STATUS(AE_AML_BUFFER_LENGTH);
+               }
+
                /* Invoke the user function */
 
                if (user_function) {