From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?iso-8859-1?Q?Br=FCns=2C_Stefan?= Date: Fri, 30 Sep 2016 14:15:16 +0000 Subject: [U-Boot] [PATCH 2/6] efi_loader: Fix memory map size check to avoid out-of-bounds access In-Reply-To: <554d48b7-73df-98ae-ba67-9208ccfea1da@suse.de> References: <20160930000400.28198-1-stefan.bruens@rwth-aachen.de> <6163987eef9c4a5eb9469e104443e5bd@rwthex-w2-b.rwth-ad.de> <554d48b7-73df-98ae-ba67-9208ccfea1da@suse.de> Message-ID: <2882323.a6QNFtegmN@sbruens-linux> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: u-boot@lists.denx.de On Freitag, 30. September 2016 14:25:40 CEST Alexander Graf wrote: > On 30.09.16 02:03, Stefan Br?ns wrote: > > memory_map_size as IN parameter specifies the size of the provided buffer. > > If the buffer is to small, memory_map_size is updated to indicate the > > required size, and an error code is returned. > > > > Signed-off-by: Stefan Br?ns > > This patch doesn't actually change anything, does it? It does ... > > Alex > > > --- > > > > lib/efi_loader/efi_memory.c | 8 +++++--- > > 1 file changed, 5 insertions(+), 3 deletions(-) > > > > diff --git a/lib/efi_loader/efi_memory.c b/lib/efi_loader/efi_memory.c > > index ebe8e94..5d71fdf 100644 > > --- a/lib/efi_loader/efi_memory.c > > +++ b/lib/efi_loader/efi_memory.c > > @@ -342,16 +342,18 @@ efi_status_t efi_get_memory_map(unsigned long > > *memory_map_size,> > > map_size = map_entries * sizeof(struct efi_mem_desc); > > > > - *memory_map_size = map_size; The caller provided buffer size was changed here > > - > > > > if (descriptor_size) > > > > *descriptor_size = sizeof(struct efi_mem_desc); > > > > if (descriptor_version) > > > > *descriptor_version = EFI_MEMORY_DESCRIPTOR_VERSION; > > > > - if (*memory_map_size < map_size) -> this check was always false > > + if (*memory_map_size < map_size) { > > + *memory_map_size = map_size; > > > > return EFI_BUFFER_TOO_SMALL; > > > > + } > > + > > + *memory_map_size = map_size; > > > > /* Copy list into array */ > > if (memory_map) {