From: gldrk <me@xxxxxxxxxx> [ Upstream commit 12b660251007e00a3e4d47ec62dbe3a7ace7023e ] ACPICA commit d9d59b7918514ae55063b93f3ec041b1a569bf49 The old version breaks sprintf on 64-bit systems for buffers outside [0..UINT32_MAX]. Link: https://github.com/acpica/acpica/commit/d9d59b79 Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@xxxxxxxxx> Link: https://patch.msgid.link/4994935.GXAFRqVoOG@xxxxxxxxxxxxx Signed-off-by: gldrk <me@xxxxxxxxxx> [ rjw: Added the tag from gldrk ] Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@xxxxxxxxx> Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx> --- **YES** This commit should definitely be backported to stable kernel trees. Here's my detailed analysis: ## Critical Bug Analysis This commit fixes a serious overflow vulnerability in the ACPICA vsnprintf() function that affects 64-bit systems. The commit message explicitly states "The old version breaks sprintf on 64-bit systems for buffers outside [0..UINT32_MAX]", indicating this is a critical functionality bug. ## Code Change Analysis The fix replaces problematic boundary checking logic: **Old problematic code:** ```c if (size != ACPI_UINT32_MAX) { end = string + size; } else { end = ACPI_CAST_PTR(char, ACPI_UINT32_MAX); } ``` **New safe code:** ```c size = ACPI_MIN(size, ACPI_PTR_DIFF(ACPI_MAX_PTR, string)); end = string + size; ``` ## Why This Needs Backporting 1. **Security Issue**: The old code could cause buffer overflows when `string + size` exceeds the maximum pointer value on 64-bit systems, potentially leading to memory corruption. 2. **Functional Breakage**: As stated in the commit message, sprintf() functionality is completely broken for large buffers on 64-bit systems, which could cause system crashes or boot failures. 3. **Low Risk Fix**: The change is minimal and well-contained, using proper ACPICA macros (`ACPI_MIN`, `ACPI_PTR_DIFF`, `ACPI_MAX_PTR`) that are designed for safe pointer arithmetic. 4. **Core Utility Function**: This affects `vsnprintf()`, a fundamental string formatting function used throughout ACPICA, meaning the impact could be widespread. ## Comparison to Similar Commits Unlike the previous ACPICA commits shown (which were mostly code style changes, fallthrough annotations, or parameter additions), this commit fixes an actual functional bug that breaks core functionality on 64-bit systems. ## Stable Tree Criteria Met - ✅ Fixes important bug affecting users - ✅ Small, contained change - ✅ Minimal regression risk - ✅ Affects critical subsystem (ACPICA string handling) - ✅ Clear technical necessity (prevents crashes/corruption) This is exactly the type of critical bugfix that stable trees are designed to carry. drivers/acpi/acpica/utprint.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/drivers/acpi/acpica/utprint.c b/drivers/acpi/acpica/utprint.c index 42b30b9f93128..7fad03c5252c3 100644 --- a/drivers/acpi/acpica/utprint.c +++ b/drivers/acpi/acpica/utprint.c @@ -333,11 +333,8 @@ int vsnprintf(char *string, acpi_size size, const char *format, va_list args) pos = string; - if (size != ACPI_UINT32_MAX) { - end = string + size; - } else { - end = ACPI_CAST_PTR(char, ACPI_UINT32_MAX); - } + size = ACPI_MIN(size, ACPI_PTR_DIFF(ACPI_MAX_PTR, string)); + end = string + size; for (; *format; ++format) { if (*format != '%') { -- 2.39.5
