Re: [PATCH 2/2] gpiolib: acpi: fix out-of-bounds pointer arithmetic in acpi_gpio_package_count

[Mika Westerberg]

On Sat, May 30, 2026 at 11:40:12AM +0200, Marco Scardovi wrote:
> When counting GPIOs in an ACPI package, encountering a reference or
> string causes the element pointer to be advanced by 3 (element += 3)
> and then by 1 (element++).
> 
> If a malformed ACPI package contains fewer than 4 remaining elements
> when a reference or string is processed, this pointer arithmetic
> advances the element pointer past the end of the package elements
> array. This results in undefined behavior and can cause out-of-bounds
> reads.

How can it cause out-of-bounds reads? We increase "element" but the next
iteration checks that it is still inside "end" and it's never dereferenced.
Maybe I'm missing something?

> Fix this by ensuring at least 4 elements remain in the package before
> advancing the element pointer, returning -EPROTO if the package
> structure is invalid.
> 
> Signed-off-by: Marco Scardovi <scardracs@xxxxxxxxxxx>
> ---
>  drivers/gpio/gpiolib-acpi-core.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/drivers/gpio/gpiolib-acpi-core.c b/drivers/gpio/gpiolib-acpi-core.c
> index 049e4cbc14ed..494dcd166aef 100644
> --- a/drivers/gpio/gpiolib-acpi-core.c
> +++ b/drivers/gpio/gpiolib-acpi-core.c
> @@ -1310,6 +1310,8 @@ static int acpi_gpio_package_count(const union acpi_object *obj)
>  		switch (element->type) {
>  		case ACPI_TYPE_LOCAL_REFERENCE:
>  		case ACPI_TYPE_STRING:
> +			if (end - element < 4)
> +				return -EPROTO;
>  			element += 3;
>  			fallthrough;
>  		case ACPI_TYPE_INTEGER:
> -- 
> 2.54.0