Version: Linux kernel 5.4.233

Location: drivers/acpi/acpica/dbhistry.c 	line 74:5



The acpi_gbl_history_buffer[acpi_gbl_next_history_index].command is assigned in if statement when cmd_len > buffer_len, or assigned in else statement.The acpi_os_allocate function calls kmalloc.It will return a Null pointer while trigger OOM.But the check for pointers is missing in strcpy.This can create unmanageable situations, or crash the system.



Vulnerable code:

```
void acpi_db_add_to_history(char *command_line)
{
	u16 cmd_len;
	u16 buffer_len;

	/* Put command into the next available slot */

	cmd_len = (u16)strlen(command_line);
	if (!cmd_len) {
		return;
	}
	if (acpi_gbl_history_buffer[acpi_gbl_next_history_index].command !=
	    NULL) {
		buffer_len =
		    (u16)
		    strlen(acpi_gbl_history_buffer[acpi_gbl_next_history_index].
			   command);

		if (cmd_len > buffer_len) {
			acpi_os_free(acpi_gbl_history_buffer
				     [acpi_gbl_next_history_index].command);
			acpi_gbl_history_buffer[acpi_gbl_next_history_index].
			    command = acpi_os_allocate(cmd_len + 1);
		}
	} else {
		acpi_gbl_history_buffer[acpi_gbl_next_history_index].command =
		    acpi_os_allocate(cmd_len + 1);
	}

<!>	strcpy(acpi_gbl_history_buffer[acpi_gbl_next_history_index].command,
	       command_line);
	acpi_gbl_history_buffer[acpi_gbl_next_history_index].cmd_num =
	    acpi_gbl_next_cmd_num;
```


Patch diff code:

```
--- drivers/acpi/acpica/dbhistry.c	2023-03-06 16:13:22
+++ drivers/acpi/acpica/dbhistry.c	2023-03-06 16:15:29
@@ -71,6 +71,10 @@
 		    acpi_os_allocate(cmd_len + 1);
 	}

+	if (!acpi_gbl_history_buffer[acpi_gbl_next_history_index].command){
+		return;
+	}
+
 	strcpy(acpi_gbl_history_buffer[acpi_gbl_next_history_index].command,
 	       command_line);

```

This better be fixed, thanks!


Best regards.
ZhengHan.