https://bugzilla.kernel.org/show_bug.cgi?id=217146
Bug ID: 217146 Summary: Null pointer dereference in acpi_db_add_to_history Product: ACPI Version: 2.5 Kernel Version: 5.4.233 Hardware: All OS: Linux Tree: Mainline Status: NEW Severity: normal Priority: P1 Component: ACPICA-Core Assignee: acpi_acpica-c...@kernel-bugs.osdl.org Reporter: zhwang4...@hillstonenet.com CC: robert.mo...@intel.com Regression: No Version: Linux kernel 5.4.233 Location: drivers/acpi/acpica/dbhistry.c line 74:5 The acpi_gbl_history_buffer[acpi_gbl_next_history_index].command is assigned in if statement when cmd_len > buffer_len, or assigned in else statement.The acpi_os_allocate function calls kmalloc.It will return a Null pointer while trigger OOM.But the check for pointers is missing in strcpy.This can create unmanageable situations, or crash the system. Vulnerable code: ``` void acpi_db_add_to_history(char *command_line) { u16 cmd_len; u16 buffer_len; /* Put command into the next available slot */ cmd_len = (u16)strlen(command_line); if (!cmd_len) { return; } if (acpi_gbl_history_buffer[acpi_gbl_next_history_index].command != NULL) { buffer_len = (u16) strlen(acpi_gbl_history_buffer[acpi_gbl_next_history_index]. command); if (cmd_len > buffer_len) { acpi_os_free(acpi_gbl_history_buffer [acpi_gbl_next_history_index].command); acpi_gbl_history_buffer[acpi_gbl_next_history_index]. command = acpi_os_allocate(cmd_len + 1); } } else { acpi_gbl_history_buffer[acpi_gbl_next_history_index].command = acpi_os_allocate(cmd_len + 1); } <!> strcpy(acpi_gbl_history_buffer[acpi_gbl_next_history_index].command, command_line); acpi_gbl_history_buffer[acpi_gbl_next_history_index].cmd_num = acpi_gbl_next_cmd_num; ``` Patch diff code: ``` --- drivers/acpi/acpica/dbhistry.c 2023-03-06 16:13:22 +++ drivers/acpi/acpica/dbhistry.c 2023-03-06 16:15:29 @@ -71,6 +71,10 @@ acpi_os_allocate(cmd_len + 1); } + if (!acpi_gbl_history_buffer[acpi_gbl_next_history_index].command){ + return; + } + strcpy(acpi_gbl_history_buffer[acpi_gbl_next_history_index].command, command_line); ``` This better be fixed, thanks! Best regards. ZhengHan. -- You may reply to this email to add a comment. You are receiving this mail because: You are watching the assignee of the bug. _______________________________________________ acpi-bugzilla mailing list acpi-bugzilla@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acpi-bugzilla