[PATCH] hwmon: (asus_atk0110) Check package count before accessing element

Next message: Garg, Shivank: "Re: [PATCH v8 00/46] guest_memfd: In-place conversion support"
Previous message: Matthias Fend: "[PATCH v10 2/2] media: i2c: add Himax HM1246 image sensor driver"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: HyeongJun An

Date: Fri Jun 19 2026 - 08:30:30 EST

atk_ec_present() walks the management group package returned by the GGRP
ACPI method and, for each sub-package, reads its first element:

id = &obj->package.elements[0];
if (id->type != ACPI_TYPE_INTEGER)

without checking that the sub-package is non-empty. ACPICA allocates the
element array with exactly package.count entries, so for a sub-package
with a zero count this reads past the allocation.

The sibling function atk_debugfs_ggrp_open() performs the same access but
skips empty packages with a package.count check first. Add the same
check to atk_ec_present() so a malformed firmware package cannot trigger
an out-of-bounds read.

Fixes: 9e6eba610c2e ("hwmon: (asus_atk0110) Enable the EC")
Cc: stable@xxxxxxxxxxxxxxx
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: HyeongJun An <sammiee5311@xxxxxxxxx>
---
drivers/hwmon/asus_atk0110.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/drivers/hwmon/asus_atk0110.c b/drivers/hwmon/asus_atk0110.c
index 109318b0434d..92afb64c09df 100644
--- a/drivers/hwmon/asus_atk0110.c
+++ b/drivers/hwmon/asus_atk0110.c
@@ -1037,6 +1037,9 @@ static int atk_ec_present(struct atk_data *data)
if (obj->type != ACPI_TYPE_PACKAGE)
continue;

+ if (!obj->package.count)
+ continue;
+
id = &obj->package.elements[0];
if (id->type != ACPI_TYPE_INTEGER)
continue;
--
2.43.0