[PATCH 1/1] efi_loader: avoid buffer overrun in efi_var_restore()
Ilias Apalodimas
ilias.apalodimas at linaro.org
Fri Mar 13 08:14:20 CET 2026
On Wed, 11 Mar 2026 at 19:30, Heinrich Schuchardt
<heinrich.schuchardt at canonical.com> wrote:
>
> The value of buf->length comes from outside U-Boot and may be incorrect.
> We must avoid to overrun our internal buffer for excessive values.
>
> If buf->length is shorter than the variable file header, the variable
> file is invalid.
>
> Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt at canonical.com>
> ---
Reviewed-by: Ilias Apalodimas <ilias.apalodimas at linaro.org>
> lib/efi_loader/efi_var_common.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/lib/efi_loader/efi_var_common.c b/lib/efi_loader/efi_var_common.c
> index 5ea1688dca3..c89a4fce4ff 100644
> --- a/lib/efi_loader/efi_var_common.c
> +++ b/lib/efi_loader/efi_var_common.c
> @@ -497,6 +497,8 @@ efi_status_t efi_var_restore(struct efi_var_file *buf, bool safe)
> efi_status_t ret;
>
> if (buf->reserved || buf->magic != EFI_VAR_FILE_MAGIC ||
> + buf->length > EFI_VAR_BUF_SIZE ||
> + buf->length < sizeof(struct efi_var_file) ||
> buf->crc32 != crc32(0, (u8 *)buf->var,
> buf->length - sizeof(struct efi_var_file))) {
> log_err("Invalid EFI variables file\n");
> --
> 2.53.0
>
More information about the U-Boot
mailing list