[PATCH 2/2] gpiolib: acpi: fix out-of-bounds pointer arithmetic in acpi_gpio_package_count

Next message: Anand Moon: "[PATCH v6 1/8] media: meson: vdec: Fix memory leaks and lifetime of m2m device"
Previous message: Marco Scardovi: "[PATCH 1/2] gpiolib: acpi: prevent address truncation in OperationRegion handler"
In reply to: Marco Scardovi: "[PATCH 1/2] gpiolib: acpi: prevent address truncation in OperationRegion handler"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Marco Scardovi

Date: Sat May 30 2026 - 05:42:53 EST

When counting GPIOs in an ACPI package, encountering a reference or
string causes the element pointer to be advanced by 3 (element += 3)
and then by 1 (element++).

If a malformed ACPI package contains fewer than 4 remaining elements
when a reference or string is processed, this pointer arithmetic
advances the element pointer past the end of the package elements
array. This results in undefined behavior and can cause out-of-bounds
reads.

Fix this by ensuring at least 4 elements remain in the package before
advancing the element pointer, returning -EPROTO if the package
structure is invalid.

Signed-off-by: Marco Scardovi <scardracs@xxxxxxxxxxx>
---
drivers/gpio/gpiolib-acpi-core.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/drivers/gpio/gpiolib-acpi-core.c b/drivers/gpio/gpiolib-acpi-core.c
index 049e4cbc14ed..494dcd166aef 100644
--- a/drivers/gpio/gpiolib-acpi-core.c
+++ b/drivers/gpio/gpiolib-acpi-core.c
@@ -1310,6 +1310,8 @@ static int acpi_gpio_package_count(const union acpi_object *obj)
switch (element->type) {
case ACPI_TYPE_LOCAL_REFERENCE:
case ACPI_TYPE_STRING:
+ if (end - element < 4)
+ return -EPROTO;
element += 3;
fallthrough;
case ACPI_TYPE_INTEGER:
--
2.54.0