lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <9a1f0216-9445-f1a1-6ccd-e59e03b184d7@linux.intel.com>
Date: Mon, 22 Dec 2025 16:41:12 +0200 (EET)
From: Ilpo Järvinen <ilpo.jarvinen@...ux.intel.com>
To: Junrui Luo <moonafterrain@...look.com>
cc: Jorge Lopez <jorge.lopez2@...com>, Hans de Goede <hansg@...nel.org>, 
    Thomas Weißschuh <linux@...ssschuh.net>, 
    platform-driver-x86@...r.kernel.org, LKML <linux-kernel@...r.kernel.org>, 
    Yuhao Jiang <danisjiang@...il.com>
Subject: Re: [PATCH] platform/x86: hp-bioscfg: Fix out-of-bounds array access
 in ACPI package parsing

On Thu, 4 Dec 2025, Junrui Luo wrote:

> The hp_populate_*_elements_from_package() functions in the hp-bioscfg
> driver contain out-of-bounds array access vulnerabilities.
> 
> The fix changes the bounds check to validate the actual accessed index.

Thanks for the patch. Unfortunately this description is too vague. Please 
explain things more precisely, with name references to related variables, 
etc. so a reviewer / person looking this change later in the git history 
does not have to figure out the entire function (there's quite much code 
in there so it's not all that obvious).

While I could probably have figured this out by figuring out those 
functions during review but I ended up not doing it because this 
information should be present in the changelog as well.

-- 
 i.

> Reported-by: Yuhao Jiang <danisjiang@...il.com>
> Reported-by: Junrui Luo <moonafterrain@...look.com>
> Fixes: e6c7b3e15559 ("platform/x86: hp-bioscfg: string-attributes")
> Signed-off-by: Junrui Luo <moonafterrain@...look.com>
> ---
>  drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c       | 4 ++--
>  drivers/platform/x86/hp/hp-bioscfg/int-attributes.c        | 2 +-
>  drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c | 5 +++++
>  drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c  | 5 +++++
>  drivers/platform/x86/hp/hp-bioscfg/string-attributes.c     | 2 +-
>  5 files changed, 14 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c b/drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c
> index c50ad5880503..f346aad8e9d8 100644
> --- a/drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c
> +++ b/drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c
> @@ -207,7 +207,7 @@ static int hp_populate_enumeration_elements_from_package(union acpi_object *enum
>  		case PREREQUISITES:
>  			size = min_t(u32, enum_data->common.prerequisites_size, MAX_PREREQUISITES_SIZE);
>  			for (reqs = 0; reqs < size; reqs++) {
> -				if (elem >= enum_obj_count) {
> +				if (elem + reqs >= enum_obj_count) {
>  					pr_err("Error enum-objects package is too small\n");
>  					return -EINVAL;
>  				}
> @@ -255,7 +255,7 @@ static int hp_populate_enumeration_elements_from_package(union acpi_object *enum
>  
>  			for (pos_values = 0; pos_values < size && pos_values < MAX_VALUES_SIZE;
>  			     pos_values++) {
> -				if (elem >= enum_obj_count) {
> +				if (elem + pos_values >= enum_obj_count) {
>  					pr_err("Error enum-objects package is too small\n");
>  					return -EINVAL;
>  				}
> diff --git a/drivers/platform/x86/hp/hp-bioscfg/int-attributes.c b/drivers/platform/x86/hp/hp-bioscfg/int-attributes.c
> index 6c7f4d5fa9cb..63b1fda2be4e 100644
> --- a/drivers/platform/x86/hp/hp-bioscfg/int-attributes.c
> +++ b/drivers/platform/x86/hp/hp-bioscfg/int-attributes.c
> @@ -227,7 +227,7 @@ static int hp_populate_integer_elements_from_package(union acpi_object *integer_
>  			size = min_t(u32, integer_data->common.prerequisites_size, MAX_PREREQUISITES_SIZE);
>  
>  			for (reqs = 0; reqs < size; reqs++) {
> -				if (elem >= integer_obj_count) {
> +				if (elem + reqs >= integer_obj_count) {
>  					pr_err("Error elem-objects package is too small\n");
>  					return -EINVAL;
>  				}
> diff --git a/drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c b/drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c
> index c6e57bb9d8b7..6a31f47ce3f5 100644
> --- a/drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c
> +++ b/drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c
> @@ -216,6 +216,11 @@ static int hp_populate_ordered_list_elements_from_package(union acpi_object *ord
>  			size = min_t(u32, ordered_list_data->common.prerequisites_size,
>  				     MAX_PREREQUISITES_SIZE);
>  			for (reqs = 0; reqs < size; reqs++) {
> +				if (elem + reqs >= order_obj_count) {
> +					pr_err("Error elem-objects package is too small\n");
> +					return -EINVAL;
> +				}
> +
>  				ret = hp_convert_hexstr_to_str(order_obj[elem + reqs].string.pointer,
>  							       order_obj[elem + reqs].string.length,
>  							       &str_value, &value_len);
> diff --git a/drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c b/drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c
> index 187b372123ed..ec79d9d50377 100644
> --- a/drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c
> +++ b/drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c
> @@ -303,6 +303,11 @@ static int hp_populate_password_elements_from_package(union acpi_object *passwor
>  				     MAX_PREREQUISITES_SIZE);
>  
>  			for (reqs = 0; reqs < size; reqs++) {
> +				if (elem + reqs >= password_obj_count) {
> +					pr_err("Error elem-objects package is too small\n");
> +					return -EINVAL;
> +				}
> +
>  				ret = hp_convert_hexstr_to_str(password_obj[elem + reqs].string.pointer,
>  							       password_obj[elem + reqs].string.length,
>  							       &str_value, &value_len);
> diff --git a/drivers/platform/x86/hp/hp-bioscfg/string-attributes.c b/drivers/platform/x86/hp/hp-bioscfg/string-attributes.c
> index 27758b779b2d..7b885d25650c 100644
> --- a/drivers/platform/x86/hp/hp-bioscfg/string-attributes.c
> +++ b/drivers/platform/x86/hp/hp-bioscfg/string-attributes.c
> @@ -217,7 +217,7 @@ static int hp_populate_string_elements_from_package(union acpi_object *string_ob
>  				     MAX_PREREQUISITES_SIZE);
>  
>  			for (reqs = 0; reqs < size; reqs++) {
> -				if (elem >= string_obj_count) {
> +				if (elem + reqs >= string_obj_count) {
>  					pr_err("Error elem-objects package is too small\n");
>  					return -EINVAL;
>  				}
> 
> ---
> base-commit: 4a26e7032d7d57c998598c08a034872d6f0d3945
> change-id: 20251204-fixes-a7747a291dc9
> 
> Best regards,
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ