HIGH
hp-bioscfg ACPI Package OOB
CVE-2025-71101
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
KernelScan AI7.1HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing The hp_populate_*_elements_from_package() functions in the hp-bioscfg driver contain out-of-bounds array access vulnerabilities. These functions parse ACPI packages into internal data structures using a for loop with index variable 'elem' that iterates through enum_obj/integer_obj/order_obj/password_obj/string_obj arrays. When processing multi-element fields like PREREQUISITES and ENUM_POSSIBLE_VALUES, these functions read multiple consecutive array elements using expressions like 'enum_obj[elem + reqs]' and 'enum_obj[elem + pos_values]' within nested loops. The bug is that the bounds check only validated elem, but did not consider the additional offset when accessing elem + reqs or elem + pos_values. The fix changes the bounds check to validate the actual accessed index.
02KernelScan AI Analysis
Risk summary
An out-of-bounds read vulnerability in HP's BIOS configuration driver could allow local attackers to read kernel memory beyond allocated buffers when parsing ACPI packages. This could lead to information disclosure or system instability on affected HP commercial notebooks.
Vulnerability analysis
Root Cause: The hp_populate_*_elements_from_package() functions in the HP BIOS configuration driver perform bounds checking only on the base array index 'elem', but fail to validate the actual accessed indices when reading multiple consecutive array elements using offsets like 'elem + reqs' or 'elem + pos_values'. This allows reading beyond the allocated ACPI package array boundaries when processing multi-element fields such as PREREQUISITES and ENUM_POSSIBLE_VALUES.
Attack Surface: This vulnerability requires local access to trigger ACPI package parsing through the HP BIOS configuration interface. An attacker would need to interact with the sysfs firmware attributes framework, typically requiring elevated privileges or specific hardware access to HP commercial notebooks with this BIOS configuration feature.
Fix Mechanism: The patch modifies the bounds checks in all affected functions to validate the actual accessed index (elem + offset) rather than just the base index (elem). This ensures that array accesses with offsets are properly bounded within the available ACPI package elements.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.64 | db4c26adf711 |
| 6.18 | 6.18.4 | 79cab730dbaa |
| 6.6 | 6.6.120 | cf7ae870560b |
| mainline | 6.19 | e44c42c830b7 |