[Bug 217146] New: Null pointer dereference in acpi_db_add_to_history

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=217146

            Bug ID: 217146
           Summary: Null pointer dereference in acpi_db_add_to_history
           Product: ACPI
           Version: 2.5
    Kernel Version: 5.4.233
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: ACPICA-Core
          Assignee: acpi_acpica-c...@kernel-bugs.osdl.org
          Reporter: zhwang4...@hillstonenet.com
                CC: robert.mo...@intel.com
        Regression: No

Version: Linux kernel 5.4.233

Location: drivers/acpi/acpica/dbhistry.c        line 74:5



The acpi_gbl_history_buffer[acpi_gbl_next_history_index].command is assigned in
if statement when cmd_len > buffer_len, or assigned in else statement.The
acpi_os_allocate function calls kmalloc.It will return a Null pointer while
trigger OOM.But the check for pointers is missing in strcpy.This can create
unmanageable situations, or crash the system.



Vulnerable code:

```
void acpi_db_add_to_history(char *command_line)
{
        u16 cmd_len;
        u16 buffer_len;

        /* Put command into the next available slot */

        cmd_len = (u16)strlen(command_line);
        if (!cmd_len) {
                return;
        }
        if (acpi_gbl_history_buffer[acpi_gbl_next_history_index].command !=
            NULL) {
                buffer_len =
                    (u16)
                   
strlen(acpi_gbl_history_buffer[acpi_gbl_next_history_index].
                           command);

                if (cmd_len > buffer_len) {
                        acpi_os_free(acpi_gbl_history_buffer
                                     [acpi_gbl_next_history_index].command);
                        acpi_gbl_history_buffer[acpi_gbl_next_history_index].
                            command = acpi_os_allocate(cmd_len + 1);
                }
        } else {
                acpi_gbl_history_buffer[acpi_gbl_next_history_index].command =
                    acpi_os_allocate(cmd_len + 1);
        }

<!>     strcpy(acpi_gbl_history_buffer[acpi_gbl_next_history_index].command,
               command_line);
        acpi_gbl_history_buffer[acpi_gbl_next_history_index].cmd_num =
            acpi_gbl_next_cmd_num;
```


Patch diff code:

```
--- drivers/acpi/acpica/dbhistry.c      2023-03-06 16:13:22
+++ drivers/acpi/acpica/dbhistry.c      2023-03-06 16:15:29
@@ -71,6 +71,10 @@
                    acpi_os_allocate(cmd_len + 1);
        }

+       if (!acpi_gbl_history_buffer[acpi_gbl_next_history_index].command){
+               return;
+       }
+
        strcpy(acpi_gbl_history_buffer[acpi_gbl_next_history_index].command,
               command_line);

```

This better be fixed, thanks!


Best regards.
ZhengHan.

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.

_______________________________________________
acpi-bugzilla mailing list
acpi-bugzilla@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acpi-bugzilla