Merge: acpi: nfit: vmalloc-out-of-bounds Read in acpi_nfit_ctl

CKI KWF Bot · CKI KWF Bot · commit f81172e4bfb6 · 2025-07-24T20:09:54.000-04:00
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/1175 JIRA: https://issues.redhat.com/browse/RHEL-76136 CVE: CVE-2024-56662 Pull in fix for CVE-2024-56662 Signed-off-by: Jeff Moyer <jmoyer@redhat.com> Approved-by: Lenny Szubowicz <lszubowi@redhat.com> Approved-by: Ewan D. Milne <emilne@redhat.com> Approved-by: CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> Merged-by: CKI GitLab Kmaint Pipeline Bot <26919896-cki-kmaint-pipeline-bot@users.noreply.gitlab.com>
diff --git a/drivers/acpi/nfit/core.c b/drivers/acpi/nfit/core.c
@@ -454,8 +454,13 @@ int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc, struct nvdimm *nvdimm,
 	if (cmd_rc)
 		*cmd_rc = -EINVAL;
 
-	if (cmd == ND_CMD_CALL)
+	if (cmd == ND_CMD_CALL) {
+		if (!buf || buf_len < sizeof(*call_pkg))
+			return -EINVAL;
+
 		call_pkg = buf;
+	}
+
 	func = cmd_to_func(nfit_mem, cmd, call_pkg, &family);
 	if (func < 0)
 		return func;
