ACPICA: add boundary checks in two places

Add boundary checks in acpi_ps_get_next_namestring() and
acpi_ps_peek_opcode() to prevent out-of-bounds access.

Link: https://github.com/acpica/acpica/commit/cfdc96896d8d
Signed-off-by: ikaros <void0red@gmail.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Link: https://patch.msgid.link/5180044.0VBMTVartN@rafael.j.wysocki

diff --git a/drivers/acpi/acpica/psargs.c b/drivers/acpi/acpica/psargs.c
index 95d540bda4fbf068b166bca8babb4bee4999f3d0..4643c839df7fd17105f6723422c9d1d0148c9530 100644 (file)
--- a/drivers/acpi/acpica/psargs.c
+++ b/drivers/acpi/acpica/psargs.c
@@ -148,10 +148,16 @@ char *acpi_ps_get_next_namestring(struct acpi_parse_state *parser_state)
 
        /* Point past any namestring prefix characters (backslash or carat) */
 
-       while (ACPI_IS_ROOT_PREFIX(*end) || ACPI_IS_PARENT_PREFIX(*end)) {
+       while (end < parser_state->aml_end &&
+              (ACPI_IS_ROOT_PREFIX(*end) || ACPI_IS_PARENT_PREFIX(*end))) {
                end++;
        }
 
+       if (end >= parser_state->aml_end) {
+               parser_state->aml = parser_state->aml_end;
+               return_PTR(NULL);
+       }
+
        /* Decode the path prefix character */
 
        switch (*end) {
@@ -176,6 +182,11 @@ char *acpi_ps_get_next_namestring(struct acpi_parse_state *parser_state)
 
                /* Multiple name segments, 4 chars each, count in next byte */
 
+               if ((end + 1) >= parser_state->aml_end) {
+                       parser_state->aml = parser_state->aml_end;
+                       return_PTR(NULL);
+               }
+
                end += 2 + (*(end + 1) * ACPI_NAMESEG_SIZE);
                break;
 
@@ -187,6 +198,11 @@ char *acpi_ps_get_next_namestring(struct acpi_parse_state *parser_state)
                break;
        }
 
+       if (end > parser_state->aml_end) {
+               parser_state->aml = parser_state->aml_end;
+               return_PTR(NULL);
+       }
+
        parser_state->aml = end;
        return_PTR((char *)start);
 }

diff --git a/drivers/acpi/acpica/psparse.c b/drivers/acpi/acpica/psparse.c
index 29b57d2c4cc43d3ebdc474a8276d17601cd22dec..42ec8abef626b45e5815316d4664e3b2ac5ce02a 100644 (file)
--- a/drivers/acpi/acpica/psparse.c
+++ b/drivers/acpi/acpica/psparse.c
@@ -70,6 +70,9 @@ u16 acpi_ps_peek_opcode(struct acpi_parse_state * parser_state)
        u16 opcode;
 
        aml = parser_state->aml;
+       if (aml >= parser_state->aml_end) {
+               return (0xFFFF);
+       }
        opcode = (u16) ACPI_GET8(aml);
 
        if (opcode == AML_EXTENDED_PREFIX) {
@@ -77,6 +80,9 @@ u16 acpi_ps_peek_opcode(struct acpi_parse_state * parser_state)
                /* Extended opcode, get the second opcode byte */
 
                aml++;
+               if (aml >= parser_state->aml_end) {
+                       return (0xFFFF);
+               }
                opcode = (u16) ((opcode << 8) | ACPI_GET8(aml));
        }