From mboxrd@z Thu Jan  1 00:00:00 1970
From: Alexander Graf <agraf@suse.de>
Date: Mon, 10 Oct 2016 13:32:11 +0200
Subject: [U-Boot] [PATCH v4 2/7] efi_loader: Fix memory map size check
 to avoid out-of-bounds access
In-Reply-To: <fa6cd700d1b14698a33d8aa159637503@rwthex-w2-b.rwth-ad.de>
References: <20161001213229.19522-3-stefan.bruens@rwth-aachen.de>
 <fa6cd700d1b14698a33d8aa159637503@rwthex-w2-b.rwth-ad.de>
Message-ID: <57FB7C3B.6090801@suse.de>
List-Id: <u-boot.lists.denx.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: u-boot@lists.denx.de

On 10/09/2016 10:17 PM, Stefan Br?ns wrote:
> The current efi_get_memory_map() function overwrites the map_size
> property before reading its value. That way the sanity check whether our
> memory map fits into the given array always succeeds, potentially
> overwriting arbitrary payload memory.
>
> This patch moves the property update write after its sanity check, so
> that the check actually verifies the correct value.
>
> So far this has not triggered any known bugs, but we're better off safe
> than sorry.
>
> If the buffer is to small, the returned memory_map_size indicates the
> required size to the caller.
>
> Signed-off-by: Stefan Br?ns <stefan.bruens@rwth-aachen.de>

Reviewed-by: Alexander Graf <agraf@suse.de>


Alex