[PATCH v2 1/2] efi_loader: fix buffer overrun in efi_sigstore_parse_siglist
Ilias Apalodimas
ilias.apalodimas at linaro.org
Tue Jun 30 08:23:47 CEST 2026
Hi Heinirch,
On Tue, 30 Jun 2026 at 02:35, Heinrich Schuchardt
<heinrich.schuchardt at canonical.com> wrote:
>
> In efi_sigstore_parse_siglist() sigdata is allocated. But instead of an
> allocation matching the size of sigdata, tainted external data was used
> to calculate the allocation size. This may lead to buffer overflows.
>
> * Correct the allocation size.
> * Follow the man-page. Use the structure size as second argument for
> calloc.
I think the fix is correct, but the commit message might be misleading.
Looking at the values sizeof(*sig_data) is 40b, but the
esl->signature_size - sizeof(esd->signature_owner)) is way bigger and
depends on the actual signature size. So I dont think something bad
really happens apart from wasting a few bytes of memory.
The actual point of the signature size is correctly allocated a few lines below.
>
> Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt at canonical.com>
With the commit message updated
Reviewed-by: Ilias Apalodimas <ilias.apalodimas at linaro.org>
> ---
> v2:
> no change
> ---
> lib/efi_loader/efi_signature.c | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c
> index 93a4f257016..6aff5c14a89 100644
> --- a/lib/efi_loader/efi_signature.c
> +++ b/lib/efi_loader/efi_signature.c
> @@ -703,8 +703,7 @@ efi_sigstore_parse_siglist(struct efi_signature_list *esl)
> goto err;
> }
>
> - sig_data = calloc(esl->signature_size
> - - sizeof(esd->signature_owner), 1);
> + sig_data = calloc(1, sizeof(*sig_data));
> if (!sig_data) {
> EFI_PRINT("Out of memory\n");
> goto err;
> --
> 2.53.0
>
More information about the U-Boot
mailing list