[PATCH v1 22/27] ACPICA: Enhance OEM ID and Table ID validation in acpi_ex_load_table_op()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Rafael J. Wysocki" <rafael@kernel.org>
To: Linux ACPI <linux-acpi@vger.kernel.org>
Cc: LKML <linux-kernel@vger.kernel.org>,
	Saket Dumbre <saket.dumbre@intel.com>,
	Pawel Chmielewski <pawel.chmielewski@intel.com>
Subject: [PATCH v1 22/27] ACPICA: Enhance OEM ID and Table ID validation in acpi_ex_load_table_op()
Date: Wed, 27 May 2026 20:06:25 +0200	[thread overview]
Message-ID: <2230782.OBFZWjSADL@rafael.j.wysocki> (raw)
In-Reply-To: <5998844.DvuYhMxLoT@rafael.j.wysocki>

From: ikaros <void0red@gmail.com>

Enhance OEM ID and Table ID validation in acpi_ex_load_table_op() to
prevent buffer overflows.

Link: https://github.com/acpica/acpica/commit/f85a43098d65
Signed-off-by: ikaros <void0red@gmail.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
---
 drivers/acpi/acpica/exconfig.c | 26 ++++++++++++++++++++++++--
 1 file changed, 24 insertions(+), 2 deletions(-)

diff --git a/drivers/acpi/acpica/exconfig.c b/drivers/acpi/acpica/exconfig.c
index 4d7dd0fc6b07..894695db0cf9 100644
--- a/drivers/acpi/acpica/exconfig.c
+++ b/drivers/acpi/acpica/exconfig.c
@@ -90,6 +90,8 @@ acpi_ex_load_table_op(struct acpi_walk_state *walk_state,
 	union acpi_operand_object *return_obj;
 	union acpi_operand_object *ddb_handle;
 	u32 table_index;
+	char oem_id[ACPI_OEM_ID_SIZE + 1];
+	char oem_table_id[ACPI_OEM_TABLE_ID_SIZE + 1];
 
 	ACPI_FUNCTION_TRACE(ex_load_table_op);
 
@@ -102,12 +104,32 @@ acpi_ex_load_table_op(struct acpi_walk_state *walk_state,
 
 	*return_desc = return_obj;
 
+	/*
+	 * Validate OEM ID and OEM Table ID string lengths.
+	 * acpi_tb_find_table expects strings that can safely read
+	 * ACPI_OEM_ID_SIZE and ACPI_OEM_TABLE_ID_SIZE bytes.
+	 */
+	if ((operand[1]->string.length > ACPI_OEM_ID_SIZE) ||
+	    (operand[2]->string.length > ACPI_OEM_TABLE_ID_SIZE)) {
+		return_ACPI_STATUS(AE_AML_STRING_LIMIT);
+	}
+
+	/*
+	 * Copy OEM strings to local buffers with guaranteed null-termination.
+	 * This prevents heap-buffer-overflow when acpi_tb_find_table reads
+	 * ACPI_OEM_ID_SIZE/ACPI_OEM_TABLE_ID_SIZE bytes.
+	 */
+	memcpy(oem_id, operand[1]->string.pointer, operand[1]->string.length);
+	oem_id[operand[1]->string.length] = 0;
+	memcpy(oem_table_id, operand[2]->string.pointer,
+	       operand[2]->string.length);
+	oem_table_id[operand[2]->string.length] = 0;
+
 	/* Find the ACPI table in the RSDT/XSDT */
 
 	acpi_ex_exit_interpreter();
 	status = acpi_tb_find_table(operand[0]->string.pointer,
-				    operand[1]->string.pointer,
-				    operand[2]->string.pointer, &table_index);
+				    oem_id, oem_table_id, &table_index);
 	acpi_ex_enter_interpreter();
 	if (ACPI_FAILURE(status)) {
 		if (status != AE_NOT_FOUND) {
-- 
2.51.0

next prev parent reply	other threads:[~2026-05-27 18:11 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-27 17:50 [PATCH v1 00/27] ACPI: ACPICA 20260408 Rafael J. Wysocki
2026-05-27 17:51 ` [PATCH v1 01/27] ACPICA: actypes: Distinguish between D3hot/cold Rafael J. Wysocki
2026-05-27 17:52 ` [PATCH v1 02/27] ACPICA: actbl2.h: ACPI 6.6: Updates for MADT MPWakeup Rafael J. Wysocki
2026-05-27 17:53 ` [PATCH v1 03/27] ACPICA: Fix condition check in acpi_ps_parse_loop() Rafael J. Wysocki
2026-05-27 17:53 ` [PATCH v1 04/27] ACPICA: Add alias node support in namespace handling Rafael J. Wysocki
2026-05-27 17:54 ` [PATCH v1 05/27] ACPICA: Add modern standby DSM GUIDs Rafael J. Wysocki
2026-05-27 17:55 ` [PATCH v1 06/27] ACPICA: Fix FADT 32/64X length mismatch warning Rafael J. Wysocki
2026-05-27 17:55 ` [PATCH v1 07/27] ACPICA: Add LVR to acrestyp.h Rafael J. Wysocki
2026-05-27 17:56 ` [PATCH v1 08/27] ACPICA: Fetch LVR I2C resource descriptor Rafael J. Wysocki
2026-05-27 17:57 ` [PATCH v1 09/27] ACPICA: Change LVR to 8 bit value Rafael J. Wysocki
2026-05-27 17:57 ` [PATCH v1 10/27] ACPICA: Mention the LVR bits Rafael J. Wysocki
2026-05-27 17:58 ` [PATCH v1 11/27] ACPICA: fix I2C LVR item count in the conversion table Rafael J. Wysocki
2026-05-27 17:59 ` [PATCH v1 12/27] ACPICA: Fix use-after-free in acpi_ds_terminate_control_method() Rafael J. Wysocki
2026-05-27 17:59 ` [PATCH v1 13/27] ACPICA: validate byte_count in acpi_ps_get_next_package_length() Rafael J. Wysocki
2026-05-27 18:00 ` [PATCH v1 14/27] ACPICA: add boundary checks in acpi_ps_get_next_field() Rafael J. Wysocki
2026-05-27 18:01 ` [PATCH v1 15/27] ACPICA: Prevent adding invalid references Rafael J. Wysocki
2026-05-27 18:02 ` [PATCH v1 16/27] ACPICA: Fix integer overflow in acpi_ex_opcode_3A_1T_1R() (mid_op) Rafael J. Wysocki
2026-05-27 18:02 ` [PATCH v1 17/27] ACPICA: Improve argument parsing in acpi_ps_get_next_simple_arg() Rafael J. Wysocki
2026-05-27 18:03 ` [PATCH v1 18/27] ACPICA: validate handler object type in two places Rafael J. Wysocki
2026-05-27 18:04 ` [PATCH v1 19/27] ACPICA: Add validation for node in acpi_ns_build_normalized_path() Rafael J. Wysocki
2026-05-27 18:04 ` [PATCH v1 20/27] ACPICA: Enhance buffer validation in acpi_ut_walk_aml_resources() Rafael J. Wysocki
2026-05-27 18:05 ` [PATCH v1 21/27] ACPICA: Fix NULL pointer dereference in acpi_ns_custom_package() Rafael J. Wysocki
2026-05-27 18:06 ` Rafael J. Wysocki [this message]
2026-05-27 18:07 ` [PATCH v1 23/27] ACPICA: Remove spurious precision from format used to dump parse trees Rafael J. Wysocki
2026-05-27 18:08 ` [PATCH v1 24/27] ACPICA: Update the copyright year to 2026 Rafael J. Wysocki
2026-05-27 18:08 ` [PATCH v1 25/27] ACPICA: Update version to 20260408 Rafael J. Wysocki
2026-05-27 18:09 ` [PATCH v1 26/27] ACPICA: Add package limit checks in parser functions Rafael J. Wysocki
2026-05-27 18:10 ` [PATCH v1 27/27] ACPICA: add boundary checks in two places Rafael J. Wysocki

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:4d7dd0fc6b0 dfblob:894695db0cf )
 OR (
bs:"[PATCH v1 22/27] ACPICA: Enhance OEM ID and Table ID validation in acpi_ex_load_table_op()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2230782.OBFZWjSADL@rafael.j.wysocki \
    --to=rafael@kernel.org \
    --cc=linux-acpi@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=pawel.chmielewski@intel.com \
    --cc=saket.dumbre@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.