From: Andy Shevchenko <andriy.shevchenko@linux.intel.com> stable inclusion from stable-v6.6.2 commit 282026ab119e13505f52661a76002e9ec5265072 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I8IW7G Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=... -------------------------------- [ Upstream commit 046ece773cc77ef5d2a1431b188ac3d0840ed150 ] In accordance with ACPI specificication and _DSD data buffer representation the data there is an array of bytes. Hence, accessing it with something longer will create a sparse data which is against of how device property APIs work in general and also not defined in the ACPI specification (see [1]). Fix the code to emit an error if non-byte accessor is used to retrieve _DSD buffer data. Fixes: 369af6bf2c28 ("ACPI: property: Read buffer properties as integers") Link: https://uefi.org/specs/ACPI/6.5/19_ASL_Reference.html#buffer-declare-buffer-... # [1] Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> [ rjw: Add missing braces ] Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com> --- drivers/acpi/property.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/drivers/acpi/property.c b/drivers/acpi/property.c index 413e4fcadcaf..99b4e3355435 100644 --- a/drivers/acpi/property.c +++ b/drivers/acpi/property.c @@ -1102,25 +1102,26 @@ static int acpi_data_prop_read(const struct acpi_device_data *data, switch (proptype) { case DEV_PROP_STRING: break; - case DEV_PROP_U8 ... DEV_PROP_U64: + default: if (obj->type == ACPI_TYPE_BUFFER) { if (nval > obj->buffer.length) return -EOVERFLOW; - break; + } else { + if (nval > obj->package.count) + return -EOVERFLOW; } - fallthrough; - default: - if (nval > obj->package.count) - return -EOVERFLOW; break; } if (nval == 0) return -EINVAL; - if (obj->type != ACPI_TYPE_BUFFER) - items = obj->package.elements; - else + if (obj->type == ACPI_TYPE_BUFFER) { + if (proptype != DEV_PROP_U8) + return -EPROTO; items = obj; + } else { + items = obj->package.elements; + } switch (proptype) { case DEV_PROP_U8: -- 2.25.1