From mboxrd@z Thu Jan 1 00:00:00 1970 From: Alexander Graf Date: Fri, 30 Sep 2016 14:25:40 +0200 Subject: [U-Boot] [PATCH 2/6] efi_loader: Fix memory map size check to avoid out-of-bounds access In-Reply-To: <6163987eef9c4a5eb9469e104443e5bd@rwthex-w2-b.rwth-ad.de> References: <20160930000400.28198-1-stefan.bruens@rwth-aachen.de> <6163987eef9c4a5eb9469e104443e5bd@rwthex-w2-b.rwth-ad.de> Message-ID: <554d48b7-73df-98ae-ba67-9208ccfea1da@suse.de> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: u-boot@lists.denx.de On 30.09.16 02:03, Stefan Br?ns wrote: > memory_map_size as IN parameter specifies the size of the provided buffer. > If the buffer is to small, memory_map_size is updated to indicate the > required size, and an error code is returned. > > Signed-off-by: Stefan Br?ns This patch doesn't actually change anything, does it? Alex > --- > lib/efi_loader/efi_memory.c | 8 +++++--- > 1 file changed, 5 insertions(+), 3 deletions(-) > > diff --git a/lib/efi_loader/efi_memory.c b/lib/efi_loader/efi_memory.c > index ebe8e94..5d71fdf 100644 > --- a/lib/efi_loader/efi_memory.c > +++ b/lib/efi_loader/efi_memory.c > @@ -342,16 +342,18 @@ efi_status_t efi_get_memory_map(unsigned long *memory_map_size, > > map_size = map_entries * sizeof(struct efi_mem_desc); > > - *memory_map_size = map_size; > - > if (descriptor_size) > *descriptor_size = sizeof(struct efi_mem_desc); > > if (descriptor_version) > *descriptor_version = EFI_MEMORY_DESCRIPTOR_VERSION; > > - if (*memory_map_size < map_size) > + if (*memory_map_size < map_size) { > + *memory_map_size = map_size; > return EFI_BUFFER_TOO_SMALL; > + } > + > + *memory_map_size = map_size; > > /* Copy list into array */ > if (memory_map) { >