From: "Brüns, Stefan" <Stefan.Bruens@rwth-aachen.de>
To: u-boot@lists.denx.de
Subject: [U-Boot] [PATCH 2/6] efi_loader: Fix memory map size check to avoid out-of-bounds access
Date: Fri, 30 Sep 2016 14:15:16 +0000 [thread overview]
Message-ID: <2882323.a6QNFtegmN@sbruens-linux> (raw)
In-Reply-To: <554d48b7-73df-98ae-ba67-9208ccfea1da@suse.de>
On Freitag, 30. September 2016 14:25:40 CEST Alexander Graf wrote:
> On 30.09.16 02:03, Stefan Br?ns wrote:
> > memory_map_size as IN parameter specifies the size of the provided buffer.
> > If the buffer is to small, memory_map_size is updated to indicate the
> > required size, and an error code is returned.
> >
> > Signed-off-by: Stefan Br?ns <stefan.bruens@rwth-aachen.de>
>
> This patch doesn't actually change anything, does it?
It does ...
>
> Alex
>
> > ---
> >
> > lib/efi_loader/efi_memory.c | 8 +++++---
> > 1 file changed, 5 insertions(+), 3 deletions(-)
> >
> > diff --git a/lib/efi_loader/efi_memory.c b/lib/efi_loader/efi_memory.c
> > index ebe8e94..5d71fdf 100644
> > --- a/lib/efi_loader/efi_memory.c
> > +++ b/lib/efi_loader/efi_memory.c
> > @@ -342,16 +342,18 @@ efi_status_t efi_get_memory_map(unsigned long
> > *memory_map_size,>
> > map_size = map_entries * sizeof(struct efi_mem_desc);
> >
> > - *memory_map_size = map_size;
The caller provided buffer size was changed here
> > -
> >
> > if (descriptor_size)
> >
> > *descriptor_size = sizeof(struct efi_mem_desc);
> >
> > if (descriptor_version)
> >
> > *descriptor_version = EFI_MEMORY_DESCRIPTOR_VERSION;
> >
> > - if (*memory_map_size < map_size)
-> this check was always false
> > + if (*memory_map_size < map_size) {
> > + *memory_map_size = map_size;
> >
> > return EFI_BUFFER_TOO_SMALL;
> >
> > + }
> > +
> > + *memory_map_size = map_size;
> >
> > /* Copy list into array */
> > if (memory_map) {
next prev parent reply other threads:[~2016-09-30 14:15 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20160930000400.28198-1-stefan.bruens@rwth-aachen.de>
2016-09-30 0:03 ` [U-Boot] [PATCH 1/6] efi_loader: Update description of internal efi_mem_carve_out Stefan Brüns
2016-09-30 0:03 ` [U-Boot] [PATCH 2/6] efi_loader: Fix memory map size check to avoid out-of-bounds access Stefan Brüns
2016-09-30 12:25 ` Alexander Graf
2016-09-30 14:15 ` Brüns, Stefan [this message]
2016-09-30 14:22 ` Alexander Graf
2016-09-30 0:03 ` [U-Boot] [PATCH 3/6] efi_loader: Track size of pool allocations to allow freeing Stefan Brüns
2016-09-30 12:31 ` Alexander Graf
2016-09-30 0:03 ` [U-Boot] [PATCH 4/6] efi_loader: Readd freed pages to memory pool Stefan Brüns
2016-09-30 12:34 ` Alexander Graf
2016-09-30 0:03 ` [U-Boot] [PATCH 5/6] efi_loader: Keep memory mapping sorted when splitting an entry Stefan Brüns
2016-09-30 12:37 ` Alexander Graf
2016-09-30 0:04 ` [U-Boot] [PATCH 6/6] efi_loader: Do not leak memory when unlinking a mapping Stefan Brüns
2016-09-30 12:38 ` Alexander Graf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2882323.a6QNFtegmN@sbruens-linux \
--to=stefan.bruens@rwth-aachen.de \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.