[PATCH v1 22/27] ACPICA: Enhance OEM ID and Table ID validation in acpi_ex_load_table_op()

Linux ACPI
 help / color / mirror / Atom feed

From: "Rafael J. Wysocki" <rafael@kernel.org>
To: Linux ACPI <linux-acpi@vger.kernel.org>
Cc: LKML <linux-kernel@vger.kernel.org>,
	Saket Dumbre <saket.dumbre@intel.com>,
	Pawel Chmielewski <pawel.chmielewski@intel.com>
Subject: [PATCH v1 22/27] ACPICA: Enhance OEM ID and Table ID validation in acpi_ex_load_table_op()
Date: Wed, 27 May 2026 20:06:25 +0200	[thread overview]
Message-ID: <2230782.OBFZWjSADL@rafael.j.wysocki> (raw)
In-Reply-To: <5998844.DvuYhMxLoT@rafael.j.wysocki>

From: ikaros <void0red@gmail.com>

Enhance OEM ID and Table ID validation in acpi_ex_load_table_op() to
prevent buffer overflows.

Link: https://github.com/acpica/acpica/commit/f85a43098d65
Signed-off-by: ikaros <void0red@gmail.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
---
 drivers/acpi/acpica/exconfig.c | 26 ++++++++++++++++++++++++--
 1 file changed, 24 insertions(+), 2 deletions(-)

diff --git a/drivers/acpi/acpica/exconfig.c b/drivers/acpi/acpica/exconfig.c
index 4d7dd0fc6b07..894695db0cf9 100644
--- a/drivers/acpi/acpica/exconfig.c
+++ b/drivers/acpi/acpica/exconfig.c
@@ -90,6 +90,8 @@ acpi_ex_load_table_op(struct acpi_walk_state *walk_state,
 	union acpi_operand_object *return_obj;
 	union acpi_operand_object *ddb_handle;
 	u32 table_index;
+	char oem_id[ACPI_OEM_ID_SIZE + 1];
+	char oem_table_id[ACPI_OEM_TABLE_ID_SIZE + 1];
 
 	ACPI_FUNCTION_TRACE(ex_load_table_op);
 
@@ -102,12 +104,32 @@ acpi_ex_load_table_op(struct acpi_walk_state *walk_state,
 
 	*return_desc = return_obj;
 
+	/*
+	 * Validate OEM ID and OEM Table ID string lengths.
+	 * acpi_tb_find_table expects strings that can safely read
+	 * ACPI_OEM_ID_SIZE and ACPI_OEM_TABLE_ID_SIZE bytes.
+	 */
+	if ((operand[1]->string.length > ACPI_OEM_ID_SIZE) ||
+	    (operand[2]->string.length > ACPI_OEM_TABLE_ID_SIZE)) {
+		return_ACPI_STATUS(AE_AML_STRING_LIMIT);
+	}
+
+	/*
+	 * Copy OEM strings to local buffers with guaranteed null-termination.
+	 * This prevents heap-buffer-overflow when acpi_tb_find_table reads
+	 * ACPI_OEM_ID_SIZE/ACPI_OEM_TABLE_ID_SIZE bytes.
+	 */
+	memcpy(oem_id, operand[1]->string.pointer, operand[1]->string.length);
+	oem_id[operand[1]->string.length] = 0;
+	memcpy(oem_table_id, operand[2]->string.pointer,
+	       operand[2]->string.length);
+	oem_table_id[operand[2]->string.length] = 0;
+
 	/* Find the ACPI table in the RSDT/XSDT */
 
 	acpi_ex_exit_interpreter();
 	status = acpi_tb_find_table(operand[0]->string.pointer,
-				    operand[1]->string.pointer,
-				    operand[2]->string.pointer, &table_index);
+				    oem_id, oem_table_id, &table_index);
 	acpi_ex_enter_interpreter();
 	if (ACPI_FAILURE(status)) {
 		if (status != AE_NOT_FOUND) {
-- 
2.51.0

next prev parent reply	other threads:[~2026-05-27 18:11 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-27 17:50 [PATCH v1 00/27] ACPI: ACPICA 20260408 Rafael J. Wysocki
2026-05-27 17:51 ` [PATCH v1 01/27] ACPICA: actypes: Distinguish between D3hot/cold Rafael J. Wysocki
2026-05-27 17:52 ` [PATCH v1 02/27] ACPICA: actbl2.h: ACPI 6.6: Updates for MADT MPWakeup Rafael J. Wysocki
2026-05-27 17:53 ` [PATCH v1 03/27] ACPICA: Fix condition check in acpi_ps_parse_loop() Rafael J. Wysocki
2026-05-27 17:53 ` [PATCH v1 04/27] ACPICA: Add alias node support in namespace handling Rafael J. Wysocki
2026-05-27 17:54 ` [PATCH v1 05/27] ACPICA: Add modern standby DSM GUIDs Rafael J. Wysocki
2026-05-27 17:55 ` [PATCH v1 06/27] ACPICA: Fix FADT 32/64X length mismatch warning Rafael J. Wysocki
2026-05-27 17:55 ` [PATCH v1 07/27] ACPICA: Add LVR to acrestyp.h Rafael J. Wysocki
2026-05-27 17:56 ` [PATCH v1 08/27] ACPICA: Fetch LVR I2C resource descriptor Rafael J. Wysocki
2026-05-27 17:57 ` [PATCH v1 09/27] ACPICA: Change LVR to 8 bit value Rafael J. Wysocki
2026-05-27 17:57 ` [PATCH v1 10/27] ACPICA: Mention the LVR bits Rafael J. Wysocki
2026-05-27 17:58 ` [PATCH v1 11/27] ACPICA: fix I2C LVR item count in the conversion table Rafael J. Wysocki
2026-05-27 17:59 ` [PATCH v1 12/27] ACPICA: Fix use-after-free in acpi_ds_terminate_control_method() Rafael J. Wysocki
2026-05-27 17:59 ` [PATCH v1 13/27] ACPICA: validate byte_count in acpi_ps_get_next_package_length() Rafael J. Wysocki
2026-05-27 18:00 ` [PATCH v1 14/27] ACPICA: add boundary checks in acpi_ps_get_next_field() Rafael J. Wysocki
2026-05-27 18:01 ` [PATCH v1 15/27] ACPICA: Prevent adding invalid references Rafael J. Wysocki
2026-05-27 18:02 ` [PATCH v1 16/27] ACPICA: Fix integer overflow in acpi_ex_opcode_3A_1T_1R() (mid_op) Rafael J. Wysocki
2026-05-27 18:02 ` [PATCH v1 17/27] ACPICA: Improve argument parsing in acpi_ps_get_next_simple_arg() Rafael J. Wysocki
2026-05-27 18:03 ` [PATCH v1 18/27] ACPICA: validate handler object type in two places Rafael J. Wysocki
2026-05-27 18:04 ` [PATCH v1 19/27] ACPICA: Add validation for node in acpi_ns_build_normalized_path() Rafael J. Wysocki
2026-05-27 18:04 ` [PATCH v1 20/27] ACPICA: Enhance buffer validation in acpi_ut_walk_aml_resources() Rafael J. Wysocki
2026-05-27 18:05 ` [PATCH v1 21/27] ACPICA: Fix NULL pointer dereference in acpi_ns_custom_package() Rafael J. Wysocki
2026-05-27 18:06 ` Rafael J. Wysocki [this message]
2026-05-27 18:07 ` [PATCH v1 23/27] ACPICA: Remove spurious precision from format used to dump parse trees Rafael J. Wysocki
2026-05-27 18:08 ` [PATCH v1 24/27] ACPICA: Update the copyright year to 2026 Rafael J. Wysocki
2026-05-27 18:08 ` [PATCH v1 25/27] ACPICA: Update version to 20260408 Rafael J. Wysocki
2026-05-27 18:09 ` [PATCH v1 26/27] ACPICA: Add package limit checks in parser functions Rafael J. Wysocki
2026-05-27 18:10 ` [PATCH v1 27/27] ACPICA: add boundary checks in two places Rafael J. Wysocki

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:4d7dd0fc6b0 dfblob:894695db0cf )
 OR (
bs:"[PATCH v1 22/27] ACPICA: Enhance OEM ID and Table ID validation in acpi_ex_load_table_op()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2230782.OBFZWjSADL@rafael.j.wysocki \
    --to=rafael@kernel.org \
    --cc=linux-acpi@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=pawel.chmielewski@intel.com \
    --cc=saket.dumbre@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox