Eric Lee / smarc-uboot

Download as
Browse Code »

Commit bdf5c1b3607bd6384ac5319caad2d8107130ace1

Authored by Stefan Brüns
Committed by Alexander Graf
1 parent 852efbf5bd
Exists in v2017.01-smarct4x and in 25 other branches 8qm-imx_v2020.04_5.4.70_2.3.0, emb_lf_v2022.04, pitx_8mp_lf_v2020.04, smarc-8m-android-10.0.0_2.6.0, smarc-8m-android-11.0.0_2.0.0, smarc-8mp-android-11.0.0_2.0.0, smarc-imx6_v2018.03_4.14.98_2.0.0_ga, smarc-imx7_v2017.03_4.9.11_1.0.0_ga, smarc-imx7_v2018.03_4.14.98_2.0.0_ga, smarc-imx_v2017.03_4.9.11_1.0.0_ga, smarc-imx_v2017.03_4.9.88_2.0.0_ga, smarc-imx_v2017.03_o8.1.0_1.3.0_8m, smarc-imx_v2018.03_4.14.78_1.0.0_ga, smarc-n7.1.2_2.0.0-ga, smarc_8m-imx_v2018.03_4.14.98_2.0.0_ga, smarc_8m-imx_v2019.04_4.19.35_1.1.0, smarc_8m_00d0-imx_v2018.03_4.14.98_2.0.0_ga, smarc_8mm-imx_v2018.03_4.14.98_2.0.0_ga, smarc_8mm-imx_v2019.04_4.19.35_1.1.0, smarc_8mm-imx_v2020.04_5.4.24_2.1.0, smarc_8mp_lf_v2020.04, smarc_8mq-imx_v2020.04_5.4.24_2.1.0, smarc_8mq_lf_v2020.04, v2017.01-smarct3x, v2017.01-smarct3x-emmc

efi_loader: Fix memory map size check to avoid out-of-bounds access 

The current efi_get_memory_map() function overwrites the map_size
property before reading its value. That way the sanity check whether our
memory map fits into the given array always succeeds, potentially
overwriting arbitrary payload memory.

This patch moves the property update write after its sanity check, so
that the check actually verifies the correct value.

So far this has not triggered any known bugs, but we're better off safe
than sorry.

If the buffer is to small, the returned memory_map_size indicates the
required size to the caller.

Signed-off-by: Stefan Brüns <stefan.bruens@rwth-aachen.de>
Reviewed-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Alexander Graf <agraf@suse.de>

Showing 1 changed file with 2 additions and 1 deletions Side-by-side Diff

lib/efi_loader/efi_memory.c
Diff comments   View file @ bdf5c1b
... ... @@ -336,6 +336,7 @@
336 336 ulong map_size = 0;
337 337 int map_entries = 0;
338 338 struct list_head *lhandle;
  339 + unsigned long provided_map_size = *memory_map_size;
339 340  
340 341 list_for_each(lhandle, &efi_mem)
341 342 map_entries++;
... ... @@ -350,7 +351,7 @@
350 351 if (descriptor_version)
351 352 *descriptor_version = EFI_MEMORY_DESCRIPTOR_VERSION;
352 353  
353   - if (*memory_map_size < map_size)
  354 + if (provided_map_size < map_size)
354 355 return EFI_BUFFER_TOO_SMALL;
355 356  
356 357 /* Copy list into array */