Fix an issue detected by syzbot with KASAN: BUG: KASAN: vmalloc-out-of-bounds in cmd_to_func drivers/acpi/nfit/ core.c:416 [inline] BUG: KASAN: vmalloc-out-of-bounds in acpi_nfit_ctl+0x20e8/0x24a0 drivers/acpi/nfit/core.c:459
The issue occurs in `cmd_to_func` when the `call_pkg->nd_reserved2` array is accessed without verifying that `call_pkg` points to a buffer that is sized appropriately as a `struct nd_cmd_pkg`. This could lead to out-of-bounds access and undefined behavior if the buffer does not have sufficient space. To address this issue, a check was added in `acpi_nfit_ctl()` to ensure that `buf` is not `NULL` and `buf_len` is greater than or equal to `sizeof(struct nd_cmd_pkg)` before casting `buf` to `struct nd_cmd_pkg *`. This ensures safe access to the members of `call_pkg`, including the `nd_reserved2` array. This change preventing out-of-bounds reads. Reported-by: syzbot+7534f060ebda6b8b5...@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=7534f060ebda6b8b51b3 Tested-by: syzbot+7534f060ebda6b8b5...@syzkaller.appspotmail.com Fixes: 906bd684e4b1 ("Merge tag 'spi-fix-v6.12-rc6'") Signed-off-by: Suraj Sonawane <surajsonawane0...@gmail.com> --- drivers/acpi/nfit/core.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/acpi/nfit/core.c b/drivers/acpi/nfit/core.c index 5429ec9ef..4a2997b60 100644 --- a/drivers/acpi/nfit/core.c +++ b/drivers/acpi/nfit/core.c @@ -454,8 +454,13 @@ int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc, struct nvdimm *nvdimm, if (cmd_rc) *cmd_rc = -EINVAL; - if (cmd == ND_CMD_CALL) - call_pkg = buf; + if (cmd == ND_CMD_CALL) { + if (buf == NULL || buf_len < sizeof(struct nd_cmd_pkg)) { + rc = -EINVAL; + goto out; + } + call_pkg = (struct nd_cmd_pkg *)buf; + } func = cmd_to_func(nfit_mem, cmd, call_pkg, &family); if (func < 0) return func; -- 2.34.1
