[PATCH v1 16/27] ACPICA: Fix integer overflow in acpi_ex_opcode_3A_1T_1R() (mid_op)

Next message: Rafael J. Wysocki: " [PATCH v1 12/27] ACPICA: Fix use-after-free in acpi_ds_terminate_control_method()"
Previous message: Andrew Morton: "Re: [PATCH] lib/test_crash: test module to trigger kernel crashes"
In reply to: Rafael J. Wysocki: "[PATCH v1 01/27] ACPICA: actypes: Distinguish between D3hot/cold"
Next in thread: Rafael J. Wysocki: " [PATCH v1 12/27] ACPICA: Fix use-after-free in acpi_ds_terminate_control_method()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Rafael J. Wysocki

Date: Wed May 27 2026 - 14:41:11 EST

From: ikaros <void0red@xxxxxxxxx>

Add overflow check for Index + Length to prevent integer overflow
when calculating the truncation length. This prevents negative
size parameter being passed to memcpy().

Link: https://github.com/acpica/acpica/commit/d281ec1ac84e
Signed-off-by: ikaros <void0red@xxxxxxxxx>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@xxxxxxxxx>
---
drivers/acpi/acpica/exoparg3.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/acpi/acpica/exoparg3.c b/drivers/acpi/acpica/exoparg3.c
index 2fc8070814e3..2790bf1a12e7 100644
--- a/drivers/acpi/acpica/exoparg3.c
+++ b/drivers/acpi/acpica/exoparg3.c
@@ -159,7 +159,7 @@ acpi_status acpi_ex_opcode_3A_1T_1R(struct acpi_walk_state *walk_state)

/* Truncate request if larger than the actual String/Buffer */

- else if ((index + length) > operand[0]->string.length) {
+ else if ((index + length) > operand[0]->string.length || (index + length) < index) { /* Check for overflow */
length =
(acpi_size)operand[0]->string.length -
(acpi_size)index;
--
2.51.0