ACPICA: validate byte_count in acpi_ps_get_next_package_length()

Validate package length reading in acpi_ps_get_next_package_length().

Link: https://github.com/acpica/acpica/commit/40e03f9941e2
Signed-off-by: ikaros <void0red@gmail.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Link: https://patch.msgid.link/3616255.QJadu78ljV@rafael.j.wysocki

diff --git a/drivers/acpi/acpica/psargs.c b/drivers/acpi/acpica/psargs.c
index 6f6ae38ec044c68feae9ae96d935acbd59e53516..87d32fbba0a6059d881bcd59caa9b6a515953086 100644 (file)
--- a/drivers/acpi/acpica/psargs.c
+++ b/drivers/acpi/acpica/psargs.c
@@ -48,6 +48,7 @@ acpi_ps_get_next_package_length(struct acpi_parse_state *parser_state)
        u32 package_length = 0;
        u32 byte_count;
        u8 byte_zero_mask = 0x3F;       /* Default [0:5] */
+       u32 remaining;
 
        ACPI_FUNCTION_TRACE(ps_get_next_package_length);
 
@@ -55,7 +56,23 @@ acpi_ps_get_next_package_length(struct acpi_parse_state *parser_state)
         * Byte 0 bits [6:7] contain the number of additional bytes
         * used to encode the package length, either 0,1,2, or 3
         */
+
+       /* Check if we have at least one byte to read */
+       remaining = (u32)ACPI_PTR_DIFF(parser_state->aml_end, aml);
+       if (remaining == 0) {
+               return_UINT32(0);
+       }
+
        byte_count = (aml[0] >> 6);
+
+       /* Validate byte_count and ensure we have enough bytes to read */
+       if (byte_count >= remaining) {
+
+               /* Clamp to available bytes and advance to end */
+               parser_state->aml = parser_state->aml_end;
+               return_UINT32(0);
+       }
+
        parser_state->aml += ((acpi_size)byte_count + 1);
 
        /* Get bytes 3, 2, 1 as needed */