[U-Boot] [PATCH v2 2/6] efi_loader: Fix memory map size check to avoid out-of-bounds access

Alexander Graf agraf at suse.de
Sat Oct 1 19:36:27 CEST 2016



On 01.10.16 19:31, Stefan Brüns wrote:
> Do not overwrite the specified size of the provided buffer without
> having checked it is sufficient.
> 
> If the buffer is to small, memory_map_size is updated to indicate the
> required size, and an error code is returned.
> 
> Signed-off-by: Stefan Brüns <stefan.bruens at rwth-aachen.de>
> ---
>  lib/efi_loader/efi_memory.c | 8 +++++---
>  1 file changed, 5 insertions(+), 3 deletions(-)
> 
> diff --git a/lib/efi_loader/efi_memory.c b/lib/efi_loader/efi_memory.c
> index ebe8e94..72a5870 100644
> --- a/lib/efi_loader/efi_memory.c
> +++ b/lib/efi_loader/efi_memory.c
> @@ -342,6 +342,11 @@ efi_status_t efi_get_memory_map(unsigned long *memory_map_size,
>  
>  	map_size = map_entries * sizeof(struct efi_mem_desc);
>  
> +	if (*memory_map_size < map_size) {
> +		*memory_map_size = map_size;
> +		return EFI_BUFFER_TOO_SMALL;

IIRC I had issues with that approach in the past with payloads that
wanted to determine the descriptor size regardless of the error output.
I liked your previous version better - it really just needed a
description overhaul :)


Alex


More information about the U-Boot mailing list