[PATCH] media: atomisp: avoid ACPI package count underflow in gmin_cfg_get

public inbox for linux-staging@lists.linux.dev
 help / color / mirror / Atom feed

* [PATCH] media: atomisp: avoid ACPI package count underflow in gmin_cfg_get_dsm
@ 2026-04-09 21:41 Mohamed El Harake
  2026-04-10  9:23 ` Jose A. Perez de Azpillaga
  0 siblings, 1 reply; 2+ messages in thread
From: Mohamed El Harake @ 2026-04-09 21:41 UTC (permalink / raw)
  To: hansg
  Cc: mchehab, sakari.ailus, andy, gregkh, linux-media, linux-kernel,
	linux-staging, Mohamad El Harake

From: Mohamad El Harake <mohamedharake2006@gmail.com>

gmin_cfg_get_dsm() iterates over ACPI _DSM package elements as
key/value pairs using obj->package.count - 1 as the loop bound.

If package.count is 0, the subtraction underflows and may lead
to out-of-bounds access.

Use i + 1 < obj->package.count instead.

Signed-off-by: Mohamad El Harake <mohamedharake2006@gmail.com>
---
 drivers/staging/media/atomisp/pci/atomisp_csi2_bridge.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/media/atomisp/pci/atomisp_csi2_bridge.c b/drivers/staging/media/atomisp/pci/atomisp_csi2_bridge.c
index ba61cc28fac1..cca91c6d71a5 100644
--- a/drivers/staging/media/atomisp/pci/atomisp_csi2_bridge.c
+++ b/drivers/staging/media/atomisp/pci/atomisp_csi2_bridge.c
@@ -113,7 +113,7 @@ static char *gmin_cfg_get_dsm(struct acpi_device *adev, const char *key)
 	if (!obj)
 		return NULL;
 
-	for (i = 0; i < obj->package.count - 1; i += 2) {
+	for (i = 0; i + 1 < obj->package.count; i += 2) {
 		key_el = &obj->package.elements[i + 0];
 		val_el = &obj->package.elements[i + 1];
 
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] media: atomisp: avoid ACPI package count underflow in gmin_cfg_get_dsm
  2026-04-09 21:41 [PATCH] media: atomisp: avoid ACPI package count underflow in gmin_cfg_get_dsm Mohamed El Harake
@ 2026-04-10  9:23 ` Jose A. Perez de Azpillaga
  0 siblings, 0 replies; 2+ messages in thread
From: Jose A. Perez de Azpillaga @ 2026-04-10  9:23 UTC (permalink / raw)
  To: Mohamed El Harake
  Cc: hansg, mchehab, sakari.ailus, andy, gregkh, linux-media,
	linux-kernel, linux-staging

On Fri, Apr 10, 2026 at 12:41:58AM +0300, Mohamed El Harake wrote:
> From: Mohamad El Harake <mohamedharake2006@gmail.com>
>
> gmin_cfg_get_dsm() iterates over ACPI _DSM package elements as
> key/value pairs using obj->package.count - 1 as the loop bound.
>
> If package.count is 0, the subtraction underflows and may lead
> to out-of-bounds access.
>
> Use i + 1 < obj->package.count instead.

how was this bug tested? and is there any way to reproduce this?

--
regards,
jose a. p-a

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-04-10  9:23 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-09 21:41 [PATCH] media: atomisp: avoid ACPI package count underflow in gmin_cfg_get_dsm Mohamed El Harake
2026-04-10  9:23 ` Jose A. Perez de Azpillaga

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox