[PATCH 0/2] gpiolib: acpi: fix bounds-checking bugs in GPIO ACPI core

Next message: Marco Scardovi: "[PATCH 1/2] gpiolib: acpi: prevent address truncation in OperationRegion handler"
Previous message: tip-bot2 for Ingo Molnar: "[tip: x86/cpu] x86/cpu: Make CONFIG_X86_TSC unconditional"
Next in thread: Marco Scardovi: "[PATCH 1/2] gpiolib: acpi: prevent address truncation in OperationRegion handler"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Marco Scardovi

Date: Sat May 30 2026 - 05:41:42 EST

Hi all,

While reviewing drivers/gpio/gpiolib-acpi-core.c in linux-next,
I noticed two bounds-checking issues in the ACPI GPIO handling paths.

The first issue is in acpi_gpio_adr_space_handler(), where the
64-bit ACPI OperationRegion address is truncated to u16 before
validation against pin_table_length. This can cause out-of-range
addresses to wrap around and access unintended GPIO entries.

Depending on platform firmware configuration, this could potentially
affect GPIO lines associated with sensitive hardware controls.

The second issue is in acpi_gpio_package_count(), where malformed
_DSD packages can cause pointer advancement past the package end
during element parsing, potentially resulting in out-of-bounds reads.

This series fixes both issues by:

- Validating the full address range before truncation
- Making the length calculation overflow-safe
- Validating remaining package elements before pointer advancement

The fixes are intentionally minimal and preserve the existing
behavior of capping ranges that extend past the end of the pin table.

Patch 1 also converts the related loop variables to unsigned types
for consistency with the updated arithmetic.

Thanks,
Marco

Marco Scardovi (2):
gpiolib: acpi: prevent address truncation in OperationRegion handler
gpiolib: acpi: fix out-of-bounds pointer arithmetic in
acpi_gpio_package_count

drivers/gpio/gpiolib-acpi-core.c | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)

--
2.54.0