ACPICA: add boundary checks in acpi_ps_get_next_field()

Add boundary checks in acpi_ps_get_next_field() to prevent out-of-bounds
access.

Link: https://github.com/acpica/acpica/commit/c39183ea84bc
Signed-off-by: ikaros <void0red@gmail.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Link: https://patch.msgid.link/24388159.6Emhk5qWAg@rafael.j.wysocki

diff --git a/drivers/acpi/acpica/psargs.c b/drivers/acpi/acpica/psargs.c
index 87d32fbba0a6059d881bcd59caa9b6a515953086..3526ea1094146a9fd39c68c79b7c951090977fca 100644 (file)
--- a/drivers/acpi/acpica/psargs.c
+++ b/drivers/acpi/acpica/psargs.c
@@ -491,6 +491,10 @@ static union acpi_parse_object *acpi_ps_get_next_field(struct acpi_parse_state
        ASL_CV_CAPTURE_COMMENTS_ONLY(parser_state);
        aml = parser_state->aml;
 
+       if (aml >= parser_state->aml_end) {
+               return_PTR(NULL);
+       }
+
        /* Determine field type */
 
        switch (ACPI_GET8(parser_state->aml)) {
@@ -539,6 +543,11 @@ static union acpi_parse_object *acpi_ps_get_next_field(struct acpi_parse_state
 
                /* Get the 4-character name */
 
+               if ((parser_state->aml + ACPI_NAMESEG_SIZE) >
+                   parser_state->aml_end) {
+                       acpi_ps_free_op(field);
+                       return_PTR(NULL);
+               }
                ACPI_MOVE_32_TO_32(&name, parser_state->aml);
                acpi_ps_set_name(field, name);
                parser_state->aml += ACPI_NAMESEG_SIZE;
@@ -584,6 +593,10 @@ static union acpi_parse_object *acpi_ps_get_next_field(struct acpi_parse_state
 
                /* Get the two bytes (Type/Attribute) */
 
+               if ((parser_state->aml + 2) > parser_state->aml_end) {
+                       acpi_ps_free_op(field);
+                       return_PTR(NULL);
+               }
                access_type = ACPI_GET8(parser_state->aml);
                parser_state->aml++;
                access_attribute = ACPI_GET8(parser_state->aml);
@@ -595,6 +608,10 @@ static union acpi_parse_object *acpi_ps_get_next_field(struct acpi_parse_state
                /* This opcode has a third byte, access_length */
 
                if (opcode == AML_INT_EXTACCESSFIELD_OP) {
+                       if (parser_state->aml >= parser_state->aml_end) {
+                               acpi_ps_free_op(field);
+                               return_PTR(NULL);
+                       }
                        access_length = ACPI_GET8(parser_state->aml);
                        parser_state->aml++;