Re: [PATCH] hwmon: (asus_atk0110) Check package count before accessing element

From: Guenter Roeck

Date: Mon Jun 29 2026 - 12:08:12 EST


On Fri, Jun 19, 2026 at 09:27:46PM +0900, HyeongJun An wrote:
> atk_ec_present() walks the management group package returned by the GGRP
> ACPI method and, for each sub-package, reads its first element:
>
> id = &obj->package.elements[0];
> if (id->type != ACPI_TYPE_INTEGER)
>
> without checking that the sub-package is non-empty. ACPICA allocates the
> element array with exactly package.count entries, so for a sub-package
> with a zero count this reads past the allocation.
>
> The sibling function atk_debugfs_ggrp_open() performs the same access but
> skips empty packages with a package.count check first. Add the same
> check to atk_ec_present() so a malformed firmware package cannot trigger
> an out-of-bounds read.
>
> Fixes: 9e6eba610c2e ("hwmon: (asus_atk0110) Enable the EC")
> Cc: stable@xxxxxxxxxxxxxxx
> Assisted-by: Claude:claude-opus-4-8
> Signed-off-by: HyeongJun An <sammiee5311@xxxxxxxxx>

Applied.

Thanks,
Guenter