| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2026011345-CVE-2025-71101-1886@gregkh> Date: Tue, 13 Jan 2026 16:36:00 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-71101: platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing The hp_populate_*_elements_from_package() functions in the hp-bioscfg driver contain out-of-bounds array access vulnerabilities. These functions parse ACPI packages into internal data structures using a for loop with index variable 'elem' that iterates through enum_obj/integer_obj/order_obj/password_obj/string_obj arrays. When processing multi-element fields like PREREQUISITES and ENUM_POSSIBLE_VALUES, these functions read multiple consecutive array elements using expressions like 'enum_obj[elem + reqs]' and 'enum_obj[elem + pos_values]' within nested loops. The bug is that the bounds check only validated elem, but did not consider the additional offset when accessing elem + reqs or elem + pos_values. The fix changes the bounds check to validate the actual accessed index. The Linux kernel CVE team has assigned CVE-2025-71101 to this issue. Affected and fixed versions =========================== Issue introduced in 6.6 with commit e6c7b3e15559699a30646dd45195549c7db447bd and fixed in 6.6.120 with commit cf7ae870560b988247a4bbbe5399edd326632680 Issue introduced in 6.6 with commit e6c7b3e15559699a30646dd45195549c7db447bd and fixed in 6.12.64 with commit db4c26adf7117b1a4431d1197ae7109fee3230ad Issue introduced in 6.6 with commit e6c7b3e15559699a30646dd45195549c7db447bd and fixed in 6.18.4 with commit 79cab730dbaaac03b946c7f5681bd08c986e2abd Issue introduced in 6.6 with commit e6c7b3e15559699a30646dd45195549c7db447bd and fixed in 6.19-rc4 with commit e44c42c830b7ab36e3a3a86321c619f24def5206 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-71101 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c drivers/platform/x86/hp/hp-bioscfg/int-attributes.c drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c drivers/platform/x86/hp/hp-bioscfg/string-attributes.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/cf7ae870560b988247a4bbbe5399edd326632680 https://git.kernel.org/stable/c/db4c26adf7117b1a4431d1197ae7109fee3230ad https://git.kernel.org/stable/c/79cab730dbaaac03b946c7f5681bd08c986e2abd https://git.kernel.org/stable/c/e44c42c830b7ab36e3a3a86321c619f24def5206
Powered by blists - more mailing lists