mirrors/u-boot
1
0
Fork 0
mirror of https://source.denx.de/u-boot/u-boot.git synced 2026-03-17 11:51:04 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

efi_loader: avoid buffer overrun in efi_var_restore()

Browse Source 
The value of buf->length comes from outside U-Boot and may be incorrect.
We must avoid to overrun our internal buffer for excessive values.

If buf->length is shorter than the variable file header, the variable
file is invalid.

Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Tested-by: Michal Simek <michal.simek@amd.com>
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
This commit is contained in:
Heinrich Schuchardt 2026-03-11 18:30:33 +01:00
parent 41be502c1c
commit a9080e600c
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/efi_loader/efi_var_common.c
View File

@ -497,6 +497,8 @@ efi_status_t efi_var_restore(struct efi_var_file *buf, bool safe)
efi_status_t ret;
if (buf->reserved || buf->magic != EFI_VAR_FILE_MAGIC ||
buf->length > EFI_VAR_BUF_SIZE ||
buf->length < sizeof(struct efi_var_file) ||
buf->crc32 != crc32(0, (u8 *)buf->var,
buf->length - sizeof(struct efi_var_file))) {
log_err("Invalid EFI variables file\n");