acpica: fix CVE-2024-24856

The memory allocation function ACPI_ALLOCATE_ZEROED does not guarantee a successful allocation, but the subsequent code directly dereferences the pointer that receives it, which may lead to null pointer dereference. To fix this issue, a null pointer check should be added. If it is null, return exception code AE_NO_MEMORY. Refer: https://nvd.nist.gov/vuln/detail/CVE-2024-24856 (From OE-Core rev: 5c590ccd1973d343f47e7b7171691400490dfc1a) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Changqing Li <changqing.li@windriver.com> 2024-11-25 12:55:45 +0800
committer: Steve Sakoman <steve@sakoman.com> 2024-12-06 05:50:24 -0800
commit: 1cb4e6a502e25d526f780100eb09507b5b6b75eb (patch)
tree: 5336a186b7a16f08202e65a25a9f88f4ea0405c5 /meta
parent: 6653eb6e900e9a2934b6c934f26555fe28c1a8d9 (diff)
download: poky-1cb4e6a502e25d526f780100eb09507b5b6b75eb.tar.gz
2 files changed, 33 insertions, 1 deletions
diff --git a/meta/recipes-extended/acpica/acpica_20240322.bb b/meta/recipes-extended/acpica/acpica_20240322.bb
index 90e3599d32..1f93c0d435 100644
--- a/meta/recipes-extended/acpica/acpica_20240322.bb
+++ b/meta/recipes-extended/acpica/acpica_20240322.bb
@@ -16,7 +16,8 @@ COMPATIBLE_HOST = "(i.86|x86_64|arm|aarch64).*-linux"
 DEPENDS = "m4-native flex-native bison-native"
-SRC_URI = "git://github.com/acpica/acpica;protocol=https;branch=master"
+SRC_URI = "git://github.com/acpica/acpica;protocol=https;branch=master \
+           file://CVE-2024-24856.patch"
 SRCREV = "170fc3076a86777077637f10b05c32ac21ac13aa"
 S = "${WORKDIR}/git"
diff --git a/meta/recipes-extended/acpica/files/CVE-2024-24856.patch b/meta/recipes-extended/acpica/files/CVE-2024-24856.patch
new file mode 100644
index 0000000000..c0c9c00d12
--- /dev/null
+++ b/meta/recipes-extended/acpica/files/CVE-2024-24856.patch
@@ -0,0 +1,31 @@
+From 4d4547cf13cca820ff7e0f859ba83e1a610b9fd0 Mon Sep 17 00:00:00 2001
+From: Huai-Yuan Liu <qq810974084@gmail.com>
+Date: Tue, 9 Apr 2024 23:23:39 +0800
+Subject: [PATCH] check null return of ACPI_ALLOCATE_ZEROED in
+ AcpiDbConvertToPackage
+ACPI_ALLOCATE_ZEROED may fails, Elements might be null and will cause null pointer dereference later.
+Signed-off-by: Huai-Yuan Liu <qq810974084@gmail.com>
+CVE: CVE-2024-24856
+Upstream-Status: Backport [https://github.com/acpica/acpica/pull/946/commits/4d4547cf13cca820ff7e0f859ba83e1a610b9fd0]
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ source/components/debugger/dbconvert.c | 2 ++
+ 1 file changed, 2 insertions(+)
+diff --git a/source/components/debugger/dbconvert.c b/source/components/debugger/dbconvert.c
+index 6a41000036..32ad5be179 100644
+--- a/source/components/debugger/dbconvert.c
+++ b/source/components/debugger/dbconvert.c
+@@ -354,6 +354,8 @@ AcpiDbConvertToPackage (
+ 
+     Elements = ACPI_ALLOCATE_ZEROED (
+         DB_DEFAULT_PKG_ELEMENTS * sizeof (ACPI_OBJECT));
+    if (!Elements)
+        return (AE_NO_MEMORY);
+ 
+     This = String;
+     for (i = 0; i < (DB_DEFAULT_PKG_ELEMENTS - 1); i++)
author	Changqing Li <changqing.li@windriver.com>	2024-11-25 12:55:45 +0800
committer	Steve Sakoman <steve@sakoman.com>	2024-12-06 05:50:24 -0800
commit	1cb4e6a502e25d526f780100eb09507b5b6b75eb (patch)
tree	5336a186b7a16f08202e65a25a9f88f4ea0405c5 /meta
parent	6653eb6e900e9a2934b6c934f26555fe28c1a8d9 (diff)
download	poky-1cb4e6a502e25d526f780100eb09507b5b6b75eb.tar.gz

diff --git a/meta/recipes-extended/acpica/acpica_20240322.bb b/meta/recipes-extended/acpica/acpica_20240322.bb index 90e3599d32..1f93c0d435 100644 --- a/meta/recipes-extended/acpica/acpica_20240322.bb +++ b/meta/recipes-extended/acpica/acpica_20240322.bb
@@ -16,7 +16,8 @@ COMPATIBLE_HOST = "(i.86\|x86_64\|arm\|aarch64).*-linux"
16		16
17	DEPENDS = "m4-native flex-native bison-native"	17	DEPENDS = "m4-native flex-native bison-native"
18		18
19	SRC_URI = "git://github.com/acpica/acpica;protocol=https;branch=master"	19	SRC_URI = "git://github.com/acpica/acpica;protocol=https;branch=master \
		20	file://CVE-2024-24856.patch"
20	SRCREV = "170fc3076a86777077637f10b05c32ac21ac13aa"	21	SRCREV = "170fc3076a86777077637f10b05c32ac21ac13aa"
21		22
22	S = "${WORKDIR}/git"	23	S = "${WORKDIR}/git"


diff --git a/meta/recipes-extended/acpica/files/CVE-2024-24856.patch b/meta/recipes-extended/acpica/files/CVE-2024-24856.patch new file mode 100644 index 0000000000..c0c9c00d12 --- /dev/null +++ b/meta/recipes-extended/acpica/files/CVE-2024-24856.patch
@@ -0,0 +1,31 @@
		1	From 4d4547cf13cca820ff7e0f859ba83e1a610b9fd0 Mon Sep 17 00:00:00 2001
		2	From: Huai-Yuan Liu <qq810974084@gmail.com>
		3	Date: Tue, 9 Apr 2024 23:23:39 +0800
		4	Subject: [PATCH] check null return of ACPI_ALLOCATE_ZEROED in
		5	AcpiDbConvertToPackage
		6
		7	ACPI_ALLOCATE_ZEROED may fails, Elements might be null and will cause null pointer dereference later.
		8
		9	Signed-off-by: Huai-Yuan Liu <qq810974084@gmail.com>
		10
		11	CVE: CVE-2024-24856
		12	Upstream-Status: Backport [https://github.com/acpica/acpica/pull/946/commits/4d4547cf13cca820ff7e0f859ba83e1a610b9fd0]
		13
		14	Signed-off-by: Changqing Li <changqing.li@windriver.com>
		15	---
		16	source/components/debugger/dbconvert.c \| 2 ++
		17	1 file changed, 2 insertions(+)
		18
		19	diff --git a/source/components/debugger/dbconvert.c b/source/components/debugger/dbconvert.c
		20	index 6a41000036..32ad5be179 100644
		21	--- a/source/components/debugger/dbconvert.c
		22	+++ b/source/components/debugger/dbconvert.c
		23	@@ -354,6 +354,8 @@ AcpiDbConvertToPackage (
		24
		25	Elements = ACPI_ALLOCATE_ZEROED (
		26	DB_DEFAULT_PKG_ELEMENTS * sizeof (ACPI_OBJECT));
		27	+ if (!Elements)
		28	+ return (AE_NO_MEMORY);
		29
		30	This = String;
		31	for (i = 0; i < (DB_DEFAULT_PKG_ELEMENTS - 1); i++)