From patchwork Sun Oct 9 20:17:07 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Stefan_Br=C3=BCns?= X-Patchwork-Id: 680080 X-Patchwork-Delegate: agraf@suse.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from theia.denx.de (theia.denx.de [85.214.87.163]) by ozlabs.org (Postfix) with ESMTP id 3ssZLG098fz9s3s for ; Mon, 10 Oct 2016 07:17:24 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by theia.denx.de (Postfix) with ESMTP id E8A5FA75FD; Sun, 9 Oct 2016 22:17:18 +0200 (CEST) Received: from theia.denx.de ([127.0.0.1]) by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vhKQRBM9eBlm; Sun, 9 Oct 2016 22:17:18 +0200 (CEST) Received: from theia.denx.de (localhost [127.0.0.1]) by theia.denx.de (Postfix) with ESMTP id 60F63A7537; Sun, 9 Oct 2016 22:17:18 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by theia.denx.de (Postfix) with ESMTP id A3378A7537 for ; Sun, 9 Oct 2016 22:17:15 +0200 (CEST) Received: from theia.denx.de ([127.0.0.1]) by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lWtRwy8IlSTM for ; Sun, 9 Oct 2016 22:17:15 +0200 (CEST) X-policyd-weight: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 (only DNSBL check requested) Received: from mx-out-1.rwth-aachen.de (mx-out-1.rwth-aachen.de [134.130.5.186]) by theia.denx.de (Postfix) with ESMTPS id 5CA45A7527 for ; Sun, 9 Oct 2016 22:17:11 +0200 (CEST) X-IronPort-AV: E=Sophos;i="5.31,468,1473112800"; d="scan'208";a="551296761" Received: from rwthex-w2-b.rwth-ad.de ([134.130.26.159]) by mx-1.rz.rwth-aachen.de with ESMTP; 09 Oct 2016 22:17:11 +0200 Received: from pebbles.fritz.box (77.182.178.226) by rwthex-w2-b.rwth-ad.de (2002:8682:1a9f::8682:1a9f) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Sun, 9 Oct 2016 22:17:10 +0200 From: =?UTF-8?q?Stefan=20Br=C3=BCns?= To: Date: Sun, 9 Oct 2016 22:17:07 +0200 X-Mailer: git-send-email 2.10.0 In-Reply-To: <20161001213229.19522-3-stefan.bruens@rwth-aachen.de> References: <20161001213229.19522-3-stefan.bruens@rwth-aachen.de> MIME-Version: 1.0 X-Originating-IP: [77.182.178.226] X-ClientProxiedBy: rwthex-w1-b.rwth-ad.de (2002:8682:1a9d::8682:1a9d) To rwthex-w2-b.rwth-ad.de (2002:8682:1a9f::8682:1a9f) Message-ID: Subject: [U-Boot] [PATCH v4 2/7] efi_loader: Fix memory map size check to avoid out-of-bounds access X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.15 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" The current efi_get_memory_map() function overwrites the map_size property before reading its value. That way the sanity check whether our memory map fits into the given array always succeeds, potentially overwriting arbitrary payload memory. This patch moves the property update write after its sanity check, so that the check actually verifies the correct value. So far this has not triggered any known bugs, but we're better off safe than sorry. If the buffer is to small, the returned memory_map_size indicates the required size to the caller. Signed-off-by: Stefan BrĂ¼ns Reviewed-by: Alexander Graf --- lib/efi_loader/efi_memory.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/efi_loader/efi_memory.c b/lib/efi_loader/efi_memory.c index ebe8e94..1d23783 100644 --- a/lib/efi_loader/efi_memory.c +++ b/lib/efi_loader/efi_memory.c @@ -336,6 +336,7 @@ efi_status_t efi_get_memory_map(unsigned long *memory_map_size, ulong map_size = 0; int map_entries = 0; struct list_head *lhandle; + unsigned long provided_map_size = *memory_map_size; list_for_each(lhandle, &efi_mem) map_entries++; @@ -350,7 +351,7 @@ efi_status_t efi_get_memory_map(unsigned long *memory_map_size, if (descriptor_version) *descriptor_version = EFI_MEMORY_DESCRIPTOR_VERSION; - if (*memory_map_size < map_size) + if (provided_map_size < map_size) return EFI_BUFFER_TOO_SMALL; /* Copy list into array */