ACPICA: Prevent possible allocation overrun during object copy

Original code did not handle the case where the object to be
copied was a namespace node.

Signed-off-by: Lin Ming <ming.m.lin@intel.com>
Signed-off-by: Bob Moore <robert.moore@intel.com>
Signed-off-by: Len Brown <len.brown@intel.com>

1 files changed, 11 insertions, 3 deletions

diff --git a/drivers/acpi/acpica/utcopy.c b/drivers/acpi/acpica/utcopy.c
index 97ec3621e71d..6fef83f04bcd 100644
--- a/drivers/acpi/acpica/utcopy.c
+++ b/drivers/acpi/acpica/utcopy.c
@@ -677,16 +677,24 @@ acpi_ut_copy_simple_object(union acpi_operand_object *source_desc,
         u16 reference_count;
         union acpi_operand_object *next_object;
         acpi_status status;
+        acpi_size copy_size;
 
         /* Save fields from destination that we don't want to overwrite */
 
         reference_count = dest_desc->common.reference_count;
         next_object = dest_desc->common.next_object;
 
-        /* Copy the entire source object over the destination object */
+        /*
+         * Copy the entire source object over the destination object.
+         * Note: Source can be either an operand object or namespace node.
+         */
+        copy_size = sizeof(union acpi_operand_object);
+        if (ACPI_GET_DESCRIPTOR_TYPE(source_desc) == ACPI_DESC_TYPE_NAMED) {
+                copy_size = sizeof(struct acpi_namespace_node);
+        }
 
-        ACPI_MEMCPY((char *)dest_desc, (char *)source_desc,
-                    sizeof(union acpi_operand_object));
+        ACPI_MEMCPY(ACPI_CAST_PTR(char, dest_desc),
+                    ACPI_CAST_PTR(char, source_desc), copy_size);
 
         /* Restore the saved fields */