Commit e1896289 authored Nov 01, 2024 by Thomas Weißschuh Committed by Heyuan Wang Nov 01, 2024

ACPI: sysfs: validate return type of _STR method

mainline inclusion
from mainline-v6.12-rc1
commit 4bb1e7d027413835b086aed35bc3f0713bc0f72b
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYQON
CVE: CVE-2024-49860

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4bb1e7d027413835b086aed35bc3f0713bc0f72b



--------------------------------

Only buffer objects are valid return values of _STR.

If something else is returned description_show() will access invalid
memory.

Fixes: d1efe3c3 ("ACPI: Add new sysfs interface to export device description")
Cc: All applicable <stable@vger.kernel.org>
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
Link: https://patch.msgid.link/20240709-acpi-sysfs-groups-v2-1-058ab0667fa8@weissschuh.net


Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Heyuan Wang <wangheyuan2@h-partners.com>

parent 178114dd

drivers/acpi/device_sysfs.c

+3 −2

Original line number	Diff line number	Diff line
		@@ -533,8 +533,9 @@ int acpi_device_setup_files(struct acpi_device *dev)
		* If device has _STR, 'description' file is created
		*/
		if (acpi_has_method(dev->handle, "_STR")) {
		status = acpi_evaluate_object(dev->handle, "_STR",
		NULL, &buffer);
		status = acpi_evaluate_object_typed(dev->handle, "_STR",
		NULL, &buffer,
		ACPI_TYPE_BUFFER);
		if (ACPI_FAILURE(status))
		buffer.pointer = NULL;
		dev->pnp.str_obj = buffer.pointer;