From 1cb4e6a502e25d526f780100eb09507b5b6b75eb Mon Sep 17 00:00:00 2001
From: Changqing Li <changqing.li@windriver.com>
Date: Mon, 25 Nov 2024 12:55:45 +0800
Subject: acpica: fix CVE-2024-24856

The memory allocation function ACPI_ALLOCATE_ZEROED does not guarantee a
successful allocation, but the subsequent code directly dereferences the
pointer that receives it, which may lead to null pointer dereference. To
fix this issue, a null pointer check should be added. If it is null,
return exception code AE_NO_MEMORY.

Refer: https://nvd.nist.gov/vuln/detail/CVE-2024-24856

(From OE-Core rev: 5c590ccd1973d343f47e7b7171691400490dfc1a)

Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-extended/acpica/acpica_20240322.bb    |  3 ++-
 .../acpica/files/CVE-2024-24856.patch              | 31 ++++++++++++++++++++++
 2 files changed, 33 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-extended/acpica/files/CVE-2024-24856.patch

diff --git a/meta/recipes-extended/acpica/acpica_20240322.bb b/meta/recipes-extended/acpica/acpica_20240322.bb
index 90e3599d32..1f93c0d435 100644
--- a/meta/recipes-extended/acpica/acpica_20240322.bb
+++ b/meta/recipes-extended/acpica/acpica_20240322.bb
@@ -16,7 +16,8 @@ COMPATIBLE_HOST = "(i.86|x86_64|arm|aarch64).*-linux"
 
 DEPENDS = "m4-native flex-native bison-native"
 
-SRC_URI = "git://github.com/acpica/acpica;protocol=https;branch=master"
+SRC_URI = "git://github.com/acpica/acpica;protocol=https;branch=master \
+           file://CVE-2024-24856.patch"
 SRCREV = "170fc3076a86777077637f10b05c32ac21ac13aa"
 
 S = "${WORKDIR}/git"
diff --git a/meta/recipes-extended/acpica/files/CVE-2024-24856.patch b/meta/recipes-extended/acpica/files/CVE-2024-24856.patch
new file mode 100644
index 0000000000..c0c9c00d12
--- /dev/null
+++ b/meta/recipes-extended/acpica/files/CVE-2024-24856.patch
@@ -0,0 +1,31 @@
+From 4d4547cf13cca820ff7e0f859ba83e1a610b9fd0 Mon Sep 17 00:00:00 2001
+From: Huai-Yuan Liu <qq810974084@gmail.com>
+Date: Tue, 9 Apr 2024 23:23:39 +0800
+Subject: [PATCH] check null return of ACPI_ALLOCATE_ZEROED in
+ AcpiDbConvertToPackage
+
+ACPI_ALLOCATE_ZEROED may fails, Elements might be null and will cause null pointer dereference later.
+
+Signed-off-by: Huai-Yuan Liu <qq810974084@gmail.com>
+
+CVE: CVE-2024-24856
+Upstream-Status: Backport [https://github.com/acpica/acpica/pull/946/commits/4d4547cf13cca820ff7e0f859ba83e1a610b9fd0]
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ source/components/debugger/dbconvert.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/source/components/debugger/dbconvert.c b/source/components/debugger/dbconvert.c
+index 6a41000036..32ad5be179 100644
+--- a/source/components/debugger/dbconvert.c
++++ b/source/components/debugger/dbconvert.c
+@@ -354,6 +354,8 @@ AcpiDbConvertToPackage (
+ 
+     Elements = ACPI_ALLOCATE_ZEROED (
+         DB_DEFAULT_PKG_ELEMENTS * sizeof (ACPI_OBJECT));
++    if (!Elements)
++        return (AE_NO_MEMORY);
+ 
+     This = String;
+     for (i = 0; i < (DB_DEFAULT_PKG_ELEMENTS - 1); i++)
-- 
cgit v1.2.3-54-g00ecf