Linux Kernel Out-of-Bounds Array Access Vulnerability in hp-bioscfg ACPI Package Parsing

A vulnerability allowing out-of-bounds array access has been identified in the hp-bioscfg driver of the Linux kernel. This issue arises in the hp_populate_*_elements_from_package() functions, which parse ACPI packages into internal data structures. The vulnerability is present in several Linux kernel versions and stems from the functions' improper bounds checking when accessing multi-element fields in ACPI packages. Exploitation of this vulnerability could lead to memory corruption or other unintended behavior.

Impact

The vulnerability could be exploited to cause out-of-bounds memory access, potentially leading to memory corruption or arbitrary code execution.

Reproduction

The vulnerability can be reproduced by loading the hp-bioscfg driver and processing ACPI packages that contain multi-element fields such as PREREQUISITES and ENUM_POSSIBLE_VALUES. The hp_populate_*_elements_from_package() functions will read multiple consecutive array elements, allowing the out-of-bounds access to occur.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. The specific commit addressing this issue is available in the Linux kernel stable tree.