Commit bdf5c1b3607bd6384ac5319caad2d8107130ace1
Committed by
Alexander Graf
1 parent
852efbf5bd
Exists in
v2017.01-smarct4x
and in
25 other branches
efi_loader: Fix memory map size check to avoid out-of-bounds access
The current efi_get_memory_map() function overwrites the map_size property before reading its value. That way the sanity check whether our memory map fits into the given array always succeeds, potentially overwriting arbitrary payload memory. This patch moves the property update write after its sanity check, so that the check actually verifies the correct value. So far this has not triggered any known bugs, but we're better off safe than sorry. If the buffer is to small, the returned memory_map_size indicates the required size to the caller. Signed-off-by: Stefan Brüns <stefan.bruens@rwth-aachen.de> Reviewed-by: Alexander Graf <agraf@suse.de> Signed-off-by: Alexander Graf <agraf@suse.de>
Showing 1 changed file with 2 additions and 1 deletions Side-by-side Diff
lib/efi_loader/efi_memory.c
... | ... | @@ -336,6 +336,7 @@ |
336 | 336 | ulong map_size = 0; |
337 | 337 | int map_entries = 0; |
338 | 338 | struct list_head *lhandle; |
339 | + unsigned long provided_map_size = *memory_map_size; | |
339 | 340 | |
340 | 341 | list_for_each(lhandle, &efi_mem) |
341 | 342 | map_entries++; |
... | ... | @@ -350,7 +351,7 @@ |
350 | 351 | if (descriptor_version) |
351 | 352 | *descriptor_version = EFI_MEMORY_DESCRIPTOR_VERSION; |
352 | 353 | |
353 | - if (*memory_map_size < map_size) | |
354 | + if (provided_map_size < map_size) | |
354 | 355 | return EFI_BUFFER_TOO_SMALL; |
355 | 356 | |
356 | 357 | /* Copy list into array */ |