[PATCH] efi_selftest: fix use-after-free
Vincent Stehlé
vincent.stehle at arm.com
Thu Jun 11 08:59:50 CEST 2026
When the `memory' efi selftest verifies the Devicetree memory reservation,
it accesses the memory_map buffer after it has been freed with free_pool().
Move the verification earlier to fix this.
Fixes: 34c96659ed57 ("efi_selftest: check fdt is marked as runtime data")
Signed-off-by: Vincent Stehlé <vincent.stehle at arm.com>
Cc: Heinrich Schuchardt <xypron.glpk at gmx.de>
Cc: Ilias Apalodimas <ilias.apalodimas at linaro.org>
Cc: Tom Rini <trini at konsulko.com>
---
lib/efi_selftest/efi_selftest_memory.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/lib/efi_selftest/efi_selftest_memory.c b/lib/efi_selftest/efi_selftest_memory.c
index 7320964c129..450470ceedd 100644
--- a/lib/efi_selftest/efi_selftest_memory.c
+++ b/lib/efi_selftest/efi_selftest_memory.c
@@ -155,6 +155,15 @@ static int execute(void)
EFI_RUNTIME_SERVICES_DATA) != EFI_ST_SUCCESS)
return EFI_ST_FAILURE;
+ /* Check memory reservation for the device tree */
+ if (fdt_addr &&
+ find_in_memory_map(map_size, memory_map, desc_size, fdt_addr,
+ EFI_ACPI_RECLAIM_MEMORY) != EFI_ST_SUCCESS) {
+ efi_st_error
+ ("Device tree not marked as ACPI reclaim memory\n");
+ return EFI_ST_FAILURE;
+ }
+
/* Free memory */
ret = boottime->free_pages(p1, EFI_ST_NUM_PAGES);
if (ret != EFI_SUCCESS) {
@@ -172,14 +181,6 @@ static int execute(void)
return EFI_ST_FAILURE;
}
- /* Check memory reservation for the device tree */
- if (fdt_addr &&
- find_in_memory_map(map_size, memory_map, desc_size, fdt_addr,
- EFI_ACPI_RECLAIM_MEMORY) != EFI_ST_SUCCESS) {
- efi_st_error
- ("Device tree not marked as ACPI reclaim memory\n");
- return EFI_ST_FAILURE;
- }
return EFI_ST_SUCCESS;
}
--
2.53.0
More information about the U-Boot
mailing list