Commit 67cd4a63487400317f1586b130bc2475767a5315
Committed by
Tom Rini
1 parent
301e803867
Exists in
master
and in
53 other branches
disk: Fix possible out-of-bounds access in part_efi.c
Make sure to never access beyond bounds of either EFI partition name or DOS partition name. This situation is happening: part.h: disk_partition_t->name is 32-byte long part_efi.h: gpt_entry->partition_name is 36-bytes long The loop in part_efi.c copies over 36 bytes and thus accesses beyond the disk_partition_t->name . Fix this by picking the shortest of source and destination arrays and make sure the destination array is cleared so the trailing bytes are zeroed-out and don't cause issues with string manipulation. Signed-off-by: Marek Vasut <marex@denx.de> Cc: Tom Rini <trini@ti.com> Cc: Simon Glass <sjg@chromium.org>
Showing 1 changed file with 8 additions and 3 deletions Side-by-side Diff
disk/part_efi.c
... | ... | @@ -372,7 +372,7 @@ |
372 | 372 | u32 offset = (u32)le32_to_cpu(gpt_h->first_usable_lba); |
373 | 373 | ulong start; |
374 | 374 | int i, k; |
375 | - size_t name_len; | |
375 | + size_t efiname_len, dosname_len; | |
376 | 376 | #ifdef CONFIG_PARTITION_UUIDS |
377 | 377 | char *str_uuid; |
378 | 378 | #endif |
379 | 379 | |
... | ... | @@ -420,9 +420,14 @@ |
420 | 420 | sizeof(gpt_entry_attributes)); |
421 | 421 | |
422 | 422 | /* partition name */ |
423 | - name_len = sizeof(gpt_e[i].partition_name) | |
423 | + efiname_len = sizeof(gpt_e[i].partition_name) | |
424 | 424 | / sizeof(efi_char16_t); |
425 | - for (k = 0; k < name_len; k++) | |
425 | + dosname_len = sizeof(partitions[i].name); | |
426 | + | |
427 | + memset(gpt_e[i].partition_name, 0, | |
428 | + sizeof(gpt_e[i].partition_name)); | |
429 | + | |
430 | + for (k = 0; k < min(dosname_len, efiname_len); k++) | |
426 | 431 | gpt_e[i].partition_name[k] = |
427 | 432 | (efi_char16_t)(partitions[i].name[k]); |
428 | 433 |