[PATCH] efi_selftest: fix use-after-free
Heinrich Schuchardt
xypron.glpk at gmx.de
Thu Jun 11 09:20:19 CEST 2026
On 6/11/26 08:59, Vincent Stehlé wrote:
> When the `memory' efi selftest verifies the Devicetree memory reservation,
> it accesses the memory_map buffer after it has been freed with free_pool().
> Move the verification earlier to fix this.
>
> Fixes: 34c96659ed57 ("efi_selftest: check fdt is marked as runtime data")
> Signed-off-by: Vincent Stehlé <vincent.stehle at arm.com>
> Cc: Heinrich Schuchardt <xypron.glpk at gmx.de>
> Cc: Ilias Apalodimas <ilias.apalodimas at linaro.org>
> Cc: Tom Rini <trini at konsulko.com>
Thank you for the fix.
Reviewed-by: Heinrich Schuchardt <xypron.glpk at gmx.de>
> ---
> lib/efi_selftest/efi_selftest_memory.c | 17 +++++++++--------
> 1 file changed, 9 insertions(+), 8 deletions(-)
>
> diff --git a/lib/efi_selftest/efi_selftest_memory.c b/lib/efi_selftest/efi_selftest_memory.c
> index 7320964c129..450470ceedd 100644
> --- a/lib/efi_selftest/efi_selftest_memory.c
> +++ b/lib/efi_selftest/efi_selftest_memory.c
> @@ -155,6 +155,15 @@ static int execute(void)
> EFI_RUNTIME_SERVICES_DATA) != EFI_ST_SUCCESS)
> return EFI_ST_FAILURE;
>
> + /* Check memory reservation for the device tree */
> + if (fdt_addr &&
> + find_in_memory_map(map_size, memory_map, desc_size, fdt_addr,
> + EFI_ACPI_RECLAIM_MEMORY) != EFI_ST_SUCCESS) {
> + efi_st_error
> + ("Device tree not marked as ACPI reclaim memory\n");
> + return EFI_ST_FAILURE;
> + }
> +
> /* Free memory */
> ret = boottime->free_pages(p1, EFI_ST_NUM_PAGES);
> if (ret != EFI_SUCCESS) {
> @@ -172,14 +181,6 @@ static int execute(void)
> return EFI_ST_FAILURE;
> }
>
> - /* Check memory reservation for the device tree */
> - if (fdt_addr &&
> - find_in_memory_map(map_size, memory_map, desc_size, fdt_addr,
> - EFI_ACPI_RECLAIM_MEMORY) != EFI_ST_SUCCESS) {
> - efi_st_error
> - ("Device tree not marked as ACPI reclaim memory\n");
> - return EFI_ST_FAILURE;
> - }
> return EFI_ST_SUCCESS;
> }
>
More information about the U-Boot
mailing list