[PATCH v1 13/27] ACPICA: validate byte_count in acpi_ps_get_next_package_length()
From: Rafael J. Wysocki
Date: Wed May 27 2026 - 14:19:28 EST
From: ikaros <void0red@xxxxxxxxx>
Validate package length reading in acpi_ps_get_next_package_length().
Link: https://github.com/acpica/acpica/commit/40e03f9941e2
Signed-off-by: ikaros <void0red@xxxxxxxxx>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@xxxxxxxxx>
---
drivers/acpi/acpica/psargs.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/drivers/acpi/acpica/psargs.c b/drivers/acpi/acpica/psargs.c
index 6f6ae38ec044..87d32fbba0a6 100644
--- a/drivers/acpi/acpica/psargs.c
+++ b/drivers/acpi/acpica/psargs.c
@@ -48,6 +48,7 @@ acpi_ps_get_next_package_length(struct acpi_parse_state *parser_state)
u32 package_length = 0;
u32 byte_count;
u8 byte_zero_mask = 0x3F; /* Default [0:5] */
+ u32 remaining;
ACPI_FUNCTION_TRACE(ps_get_next_package_length);
@@ -55,7 +56,23 @@ acpi_ps_get_next_package_length(struct acpi_parse_state *parser_state)
* Byte 0 bits [6:7] contain the number of additional bytes
* used to encode the package length, either 0,1,2, or 3
*/
+
+ /* Check if we have at least one byte to read */
+ remaining = (u32)ACPI_PTR_DIFF(parser_state->aml_end, aml);
+ if (remaining == 0) {
+ return_UINT32(0);
+ }
+
byte_count = (aml[0] >> 6);
+
+ /* Validate byte_count and ensure we have enough bytes to read */
+ if (byte_count >= remaining) {
+
+ /* Clamp to available bytes and advance to end */
+ parser_state->aml = parser_state->aml_end;
+ return_UINT32(0);
+ }
+
parser_state->aml += ((acpi_size)byte_count + 1);
/* Get bytes 3, 2, 1 as needed */
--
2.51.0