[PATCH 1/2] efi_loader: fix buffer overrun in efi_sigstore_parse_siglist
Heinrich Schuchardt
heinrich.schuchardt at canonical.com
Tue Jun 30 00:52:17 CEST 2026
In efi_sigstore_parse_siglist() sigdata is allocated. But instead of an
allocation matching the size of sigdata, tainted external data was used
to calculate the allocation size. This may lead to buffer overflows.
* Correct the allocation size.
* Follow the man-page. Use the structure size as second argument for
calloc.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt at canonical.com>
---
lib/efi_loader/efi_signature.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c
index 93a4f257016..6aff5c14a89 100644
--- a/lib/efi_loader/efi_signature.c
+++ b/lib/efi_loader/efi_signature.c
@@ -703,8 +703,7 @@ efi_sigstore_parse_siglist(struct efi_signature_list *esl)
goto err;
}
- sig_data = calloc(esl->signature_size
- - sizeof(esd->signature_owner), 1);
+ sig_data = calloc(1, sizeof(*sig_data));
if (!sig_data) {
EFI_PRINT("Out of memory\n");
goto err;
--
2.53.0
More information about the U-Boot
mailing list