From: "Vincent Stehlé" <vincent.stehle@arm.com>
To: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>,
Ilias Apalodimas <ilias.apalodimas@linaro.org>,
Tom Rini <trini@konsulko.com>,
u-boot@lists.denx.de
Subject: Re: [PATCH 1/5] efi_selftest: fix buffer overflow
Date: Tue, 10 Mar 2026 18:16:54 +0100 [thread overview]
Message-ID: <abBSBsF7Pb6gCSGL@debian> (raw)
In-Reply-To: <db9de791-60fe-4308-b2d3-66ad6eb07684@gmx.de>
On Tue, Feb 24, 2026 at 04:45:48PM +0100, Heinrich Schuchardt wrote:
Hi Heinrich,
Thanks for your review and sorry for the late reply.
My answers below.
Best regards,
Vincent.
> On 2/19/26 19:43, Vincent Stehlé wrote:
> > The test of the UEFI LocateHandleBuffer() function clears a returned buffer
> > at some point to reuse it, but there is an error in the size computation,
> > which leads to a buffer overflow; fix it.
> >
> > Fixes: 927ca890b09f ("efi_selftest: test protocol management")
> > Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
> > Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>
> > Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org>
> > Cc: Tom Rini <trini@konsulko.com>
> > ---
> > lib/efi_selftest/efi_selftest_manageprotocols.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/lib/efi_selftest/efi_selftest_manageprotocols.c b/lib/efi_selftest/efi_selftest_manageprotocols.c
> > index 097b2ae3545..ccffa59095d 100644
> > --- a/lib/efi_selftest/efi_selftest_manageprotocols.c
> > +++ b/lib/efi_selftest/efi_selftest_manageprotocols.c
> > @@ -241,7 +241,7 @@ static int execute(void)
> > return EFI_ST_FAILURE;
> > }
> > /* Clear the buffer, we are reusing it it the next step. */
> > - boottime->set_mem(buffer, sizeof(efi_handle_t) * buffer_size, 0);
> > + boottime->set_mem(buffer, sizeof(efi_handle_t) * count, 0);
> > /*
> > * Test LocateHandle with ByProtocol
>
> Hello Vincent,
>
> Thank you for reviewing the code and pointing to an issue.
>
> The fix looks incomplete to me:
You are right: I broke down all the fixes into multiple steps, which explains
why the first patch ("fix buffer overflow") is not the full story.
I thought this would ease reviewing but now I wonder if that was maybe a bad
idea. Let me know if I should send a v2 with the series as a single patch if
that helps.
>
> In line 167 we allocate a buffer with LocateHandleBuffer(). Assigning
> buffer_size in line 173 does not make any sense, as we free the buffer in
> line 185.
This is removed in patch 4 ("fix buffer size and count computations").
>
> In line 223 we allocate another buffer with LocateHandleBuffer().
> Assigning the value of buffer_size value to count before the invocation
> doesn't make much sense.
This is removed in patch 3 ("remove unnecessary initializations").
>
> You fix in line 244 looks correct.
>
> Line 249 sets count to an arbitrary value that is not related to the size of
> the buffer.
This part is reworked in patch 4 to use buffer_size instead.
>
> Line 260 sets variable buffer_size and buffer_size is again used in line 306
> to set count to an unused value.
This is removed in patch 3.
>
> We should completely remove variable buffer_size from the function.
The patch series takes a different approach: keep both count and buffer_size
variables, and make sure to use those variables to contain quantities
corresponding to their respective names.
>
> Best regards
>
> Heinrich
next prev parent reply other threads:[~2026-03-10 17:17 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-19 18:43 [PATCH 0/5] efi_selftest: manageprotocols fixes and enhancements Vincent Stehlé
2026-02-19 18:43 ` [PATCH 1/5] efi_selftest: fix buffer overflow Vincent Stehlé
2026-02-20 7:37 ` Ilias Apalodimas
2026-02-24 15:45 ` Heinrich Schuchardt
2026-03-10 17:16 ` Vincent Stehlé [this message]
2026-02-19 18:43 ` [PATCH 2/5] efi_selftest: fix buffer overflow and memory leak Vincent Stehlé
2026-02-20 9:10 ` Ilias Apalodimas
2026-02-19 18:43 ` [PATCH 3/5] efi_selftest: remove unnecessary initializations Vincent Stehlé
2026-02-20 7:43 ` Ilias Apalodimas
2026-02-19 18:43 ` [PATCH 4/5] efi_selftest: fix buffer size and count computations Vincent Stehlé
2026-02-20 9:13 ` Ilias Apalodimas
2026-02-19 18:44 ` [PATCH 5/5] efi_selftest: cosmetic: fix spelling in comments Vincent Stehlé
2026-02-20 7:42 ` Ilias Apalodimas
2026-02-24 15:55 ` Heinrich Schuchardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=abBSBsF7Pb6gCSGL@debian \
--to=vincent.stehle@arm.com \
--cc=heinrich.schuchardt@canonical.com \
--cc=ilias.apalodimas@linaro.org \
--cc=trini@konsulko.com \
--cc=u-boot@lists.denx.de \
--cc=xypron.glpk@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox