Unverified Commit e44c42c8 authored by Junrui Luo's avatar Junrui Luo Committed by Ilpo Järvinen
Browse files

platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing 



The hp_populate_*_elements_from_package() functions in the hp-bioscfg
driver contain out-of-bounds array access vulnerabilities.

These functions parse ACPI packages into internal data structures using
a for loop with index variable 'elem' that iterates through
enum_obj/integer_obj/order_obj/password_obj/string_obj arrays.

When processing multi-element fields like PREREQUISITES and
ENUM_POSSIBLE_VALUES, these functions read multiple consecutive array
elements using expressions like 'enum_obj[elem + reqs]' and
'enum_obj[elem + pos_values]' within nested loops.

The bug is that the bounds check only validated elem, but did not consider
the additional offset when accessing elem + reqs or elem + pos_values.

The fix changes the bounds check to validate the actual accessed index.

Reported-by: default avatarYuhao Jiang <danisjiang@gmail.com>
Reported-by: default avatarJunrui Luo <moonafterrain@outlook.com>
Fixes: e6c7b3e1 ("platform/x86: hp-bioscfg: string-attributes")
Signed-off-by: default avatarJunrui Luo <moonafterrain@outlook.com>
Link: https://patch.msgid.link/SYBPR01MB788173D7DD4EA2CB6383683DAFB0A@SYBPR01MB7881.ausprd01.prod.outlook.com


Reviewed-by: default avatarIlpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: default avatarIlpo Järvinen <ilpo.jarvinen@linux.intel.com>
parent 499d987b

drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c

+2 −2
Original line number Diff line number Diff line
@@ -207,7 +207,7 @@ static int hp_populate_enumeration_elements_from_package(union acpi_object *enum 
		case PREREQUISITES:

			size = min_t(u32, enum_data->common.prerequisites_size, MAX_PREREQUISITES_SIZE);

			for (reqs = 0; reqs < size; reqs++) {

				if (elem >= enum_obj_count) {

				if (elem + reqs >= enum_obj_count) {

					pr_err("Error enum-objects package is too small\n");

					return -EINVAL;

				}
@@ -255,7 +255,7 @@ static int hp_populate_enumeration_elements_from_package(union acpi_object *enum 


			for (pos_values = 0; pos_values < size && pos_values < MAX_VALUES_SIZE;

			     pos_values++) {

				if (elem >= enum_obj_count) {

				if (elem + pos_values >= enum_obj_count) {

					pr_err("Error enum-objects package is too small\n");

					return -EINVAL;

				}

drivers/platform/x86/hp/hp-bioscfg/int-attributes.c

+1 −1
Original line number Diff line number Diff line
@@ -227,7 +227,7 @@ static int hp_populate_integer_elements_from_package(union acpi_object *integer_ 
			size = min_t(u32, integer_data->common.prerequisites_size, MAX_PREREQUISITES_SIZE);



			for (reqs = 0; reqs < size; reqs++) {

				if (elem >= integer_obj_count) {

				if (elem + reqs >= integer_obj_count) {

					pr_err("Error elem-objects package is too small\n");

					return -EINVAL;

				}

drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c

+5 −0
Original line number Diff line number Diff line
@@ -216,6 +216,11 @@ static int hp_populate_ordered_list_elements_from_package(union acpi_object *ord 
			size = min_t(u32, ordered_list_data->common.prerequisites_size,

				     MAX_PREREQUISITES_SIZE);

			for (reqs = 0; reqs < size; reqs++) {

				if (elem + reqs >= order_obj_count) {

					pr_err("Error elem-objects package is too small\n");

					return -EINVAL;

				}



				ret = hp_convert_hexstr_to_str(order_obj[elem + reqs].string.pointer,

							       order_obj[elem + reqs].string.length,

							       &str_value, &value_len);

drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c

+5 −0
Original line number Diff line number Diff line
@@ -303,6 +303,11 @@ static int hp_populate_password_elements_from_package(union acpi_object *passwor 
				     MAX_PREREQUISITES_SIZE);



			for (reqs = 0; reqs < size; reqs++) {

				if (elem + reqs >= password_obj_count) {

					pr_err("Error elem-objects package is too small\n");

					return -EINVAL;

				}



				ret = hp_convert_hexstr_to_str(password_obj[elem + reqs].string.pointer,

							       password_obj[elem + reqs].string.length,

							       &str_value, &value_len);

drivers/platform/x86/hp/hp-bioscfg/string-attributes.c

+1 −1
Original line number Diff line number Diff line
@@ -217,7 +217,7 @@ static int hp_populate_string_elements_from_package(union acpi_object *string_ob 
				     MAX_PREREQUISITES_SIZE);



			for (reqs = 0; reqs < size; reqs++) {

				if (elem >= string_obj_count) {

				if (elem + reqs >= string_obj_count) {

					pr_err("Error elem-objects package is too small\n");

					return -EINVAL;

				}