* [PATCH] media: atomisp: avoid ACPI package count underflow in gmin_cfg_get_dsm
@ 2026-04-09 21:41 Mohamed El Harake
2026-04-10 9:23 ` Jose A. Perez de Azpillaga
2026-04-10 18:27 ` Hans de Goede
0 siblings, 2 replies; 3+ messages in thread
From: Mohamed El Harake @ 2026-04-09 21:41 UTC (permalink / raw)
To: hansg
Cc: mchehab, sakari.ailus, andy, gregkh, linux-media, linux-kernel,
linux-staging, Mohamad El Harake
From: Mohamad El Harake <mohamedharake2006@gmail.com>
gmin_cfg_get_dsm() iterates over ACPI _DSM package elements as
key/value pairs using obj->package.count - 1 as the loop bound.
If package.count is 0, the subtraction underflows and may lead
to out-of-bounds access.
Use i + 1 < obj->package.count instead.
Signed-off-by: Mohamad El Harake <mohamedharake2006@gmail.com>
---
drivers/staging/media/atomisp/pci/atomisp_csi2_bridge.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/staging/media/atomisp/pci/atomisp_csi2_bridge.c b/drivers/staging/media/atomisp/pci/atomisp_csi2_bridge.c
index ba61cc28fac1..cca91c6d71a5 100644
--- a/drivers/staging/media/atomisp/pci/atomisp_csi2_bridge.c
+++ b/drivers/staging/media/atomisp/pci/atomisp_csi2_bridge.c
@@ -113,7 +113,7 @@ static char *gmin_cfg_get_dsm(struct acpi_device *adev, const char *key)
if (!obj)
return NULL;
- for (i = 0; i < obj->package.count - 1; i += 2) {
+ for (i = 0; i + 1 < obj->package.count; i += 2) {
key_el = &obj->package.elements[i + 0];
val_el = &obj->package.elements[i + 1];
--
2.43.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] media: atomisp: avoid ACPI package count underflow in gmin_cfg_get_dsm
2026-04-09 21:41 [PATCH] media: atomisp: avoid ACPI package count underflow in gmin_cfg_get_dsm Mohamed El Harake
@ 2026-04-10 9:23 ` Jose A. Perez de Azpillaga
2026-04-10 18:27 ` Hans de Goede
1 sibling, 0 replies; 3+ messages in thread
From: Jose A. Perez de Azpillaga @ 2026-04-10 9:23 UTC (permalink / raw)
To: Mohamed El Harake
Cc: hansg, mchehab, sakari.ailus, andy, gregkh, linux-media,
linux-kernel, linux-staging
On Fri, Apr 10, 2026 at 12:41:58AM +0300, Mohamed El Harake wrote:
> From: Mohamad El Harake <mohamedharake2006@gmail.com>
>
> gmin_cfg_get_dsm() iterates over ACPI _DSM package elements as
> key/value pairs using obj->package.count - 1 as the loop bound.
>
> If package.count is 0, the subtraction underflows and may lead
> to out-of-bounds access.
>
> Use i + 1 < obj->package.count instead.
how was this bug tested? and is there any way to reproduce this?
--
regards,
jose a. p-a
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] media: atomisp: avoid ACPI package count underflow in gmin_cfg_get_dsm
2026-04-09 21:41 [PATCH] media: atomisp: avoid ACPI package count underflow in gmin_cfg_get_dsm Mohamed El Harake
2026-04-10 9:23 ` Jose A. Perez de Azpillaga
@ 2026-04-10 18:27 ` Hans de Goede
1 sibling, 0 replies; 3+ messages in thread
From: Hans de Goede @ 2026-04-10 18:27 UTC (permalink / raw)
To: Mohamed El Harake
Cc: mchehab, sakari.ailus, andy, gregkh, linux-media, linux-kernel,
linux-staging
Hi,
On 9-Apr-26 11:41 PM, Mohamed El Harake wrote:
> From: Mohamad El Harake <mohamedharake2006@gmail.com>
>
> gmin_cfg_get_dsm() iterates over ACPI _DSM package elements as
> key/value pairs using obj->package.count - 1 as the loop bound.
>
> If package.count is 0, the subtraction underflows and may lead
> to out-of-bounds access.
>
> Use i + 1 < obj->package.count instead.
>
> Signed-off-by: Mohamad El Harake <mohamedharake2006@gmail.com>
Thanks, patch looks good to me:
Reviewed-by: Hans de Goede <johannes.goede@oss.qualcomm.com>
Regards,
Hans
> ---
> drivers/staging/media/atomisp/pci/atomisp_csi2_bridge.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/staging/media/atomisp/pci/atomisp_csi2_bridge.c b/drivers/staging/media/atomisp/pci/atomisp_csi2_bridge.c
> index ba61cc28fac1..cca91c6d71a5 100644
> --- a/drivers/staging/media/atomisp/pci/atomisp_csi2_bridge.c
> +++ b/drivers/staging/media/atomisp/pci/atomisp_csi2_bridge.c
> @@ -113,7 +113,7 @@ static char *gmin_cfg_get_dsm(struct acpi_device *adev, const char *key)
> if (!obj)
> return NULL;
>
> - for (i = 0; i < obj->package.count - 1; i += 2) {
> + for (i = 0; i + 1 < obj->package.count; i += 2) {
> key_el = &obj->package.elements[i + 0];
> val_el = &obj->package.elements[i + 1];
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-04-10 18:27 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-09 21:41 [PATCH] media: atomisp: avoid ACPI package count underflow in gmin_cfg_get_dsm Mohamed El Harake
2026-04-10 9:23 ` Jose A. Perez de Azpillaga
2026-04-10 18:27 ` Hans de Goede
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox