[PATCH v4 4/4] gpiolib: acpi: fix out-of-bounds pointer arithmetic in acpi_gpio_package_count

Next message: Marco Scardovi: "[PATCH v4 2/4] gpiolib: acpi: fix resource leak in OpRegion"
Previous message: Jeff Layton: "[PATCH 0/6] nfsd: medium-severity bugfixes"
In reply to: Marco Scardovi: "[PATCH v4 3/4] gpiolib: acpi: prevent address truncation in OperationRegion handler"
Next in thread: Marco Scardovi: "[PATCH v4 2/4] gpiolib: acpi: fix resource leak in OpRegion"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Marco Scardovi

Date: Sun May 31 2026 - 08:09:21 EST

When counting GPIOs in an ACPI package, encountering a reference or
string causes the element pointer to be advanced by 3 (element += 3)
and then by 1 (element++).

If a malformed ACPI package contains fewer than 4 remaining elements
when a reference or string is processed, this pointer arithmetic
advances the element pointer past the end of the package elements
array. This results in undefined behavior and can cause out-of-bounds
reads.

Fix this by ensuring at least 4 elements remain in the package before
advancing the element pointer, returning -EPROTO if the package
structure is invalid.

Assisted-by: Antigravity:gemini-3.5-flash
Signed-off-by: Marco Scardovi <scardracs@xxxxxxxxxxx>
---
drivers/gpio/gpiolib-acpi-core.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/drivers/gpio/gpiolib-acpi-core.c b/drivers/gpio/gpiolib-acpi-core.c
index d12dab42a096..b19fd02b64d0 100644
--- a/drivers/gpio/gpiolib-acpi-core.c
+++ b/drivers/gpio/gpiolib-acpi-core.c
@@ -1407,6 +1407,8 @@ static int acpi_gpio_package_count(const union acpi_object *obj)
switch (element->type) {
case ACPI_TYPE_LOCAL_REFERENCE:
case ACPI_TYPE_STRING:
+ if (end - element < 4)
+ return -EPROTO;
element += 3;
fallthrough;
case ACPI_TYPE_INTEGER:
--
2.54.0