Description
In the Linux kernel, the following vulnerability has been resolved: platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing The hp_populate_*_elements_from_package() functions in the hp-bioscfg driver contain out-of-bounds array access vulnerabilities. These functions parse ACPI packages into internal data structures using a for loop with index variable 'elem' that iterates through enum_obj/integer_obj/order_obj/password_obj/string_obj arrays. When processing multi-element fields like PREREQUISITES and ENUM_POSSIBLE_VALUES, these functions read multiple consecutive array elements using expressions like 'enum_obj[elem + reqs]' and 'enum_obj[elem + pos_values]' within nested loops. The bug is that the bounds check only validated elem, but did not consider the additional offset when accessing elem + reqs or elem + pos_values. The fix changes the bounds check to validate the actual accessed index.
Product status
e6c7b3e15559699a30646dd45195549c7db447bd (git) before cf7ae870560b988247a4bbbe5399edd326632680
e6c7b3e15559699a30646dd45195549c7db447bd (git) before db4c26adf7117b1a4431d1197ae7109fee3230ad
e6c7b3e15559699a30646dd45195549c7db447bd (git) before 79cab730dbaaac03b946c7f5681bd08c986e2abd
e6c7b3e15559699a30646dd45195549c7db447bd (git) before e44c42c830b7ab36e3a3a86321c619f24def5206
6.6
Any version before 6.6
6.6.120 (semver)
6.12.64 (semver)
6.18.4 (semver)
6.19 (original_commit_for_fix)
References
git.kernel.org/...c/cf7ae870560b988247a4bbbe5399edd326632680
git.kernel.org/...c/db4c26adf7117b1a4431d1197ae7109fee3230ad
git.kernel.org/...c/79cab730dbaaac03b946c7f5681bd08c986e2abd
git.kernel.org/...c/e44c42c830b7ab36e3a3a86321c619f24def5206