{"id":2226111,"url":"http://patchwork.ozlabs.org/api/1.2/patches/2226111/?format=json","web_url":"http://patchwork.ozlabs.org/project/qemu-devel/patch/20260422092910.444997-4-kraxel@redhat.com/","project":{"id":14,"url":"http://patchwork.ozlabs.org/api/1.2/projects/14/?format=json","name":"QEMU Development","link_name":"qemu-devel","list_id":"qemu-devel.nongnu.org","list_email":"qemu-devel@nongnu.org","web_url":"","scm_url":"","webscm_url":"","list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260422092910.444997-4-kraxel@redhat.com>","list_archive_url":null,"date":"2026-04-22T09:29:06","name":"[3/6] hw/uefi: fix ucs2 string helper functions","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"4bfee688d45d31cd2f1cd3a95973097bc972e359","submitter":{"id":589,"url":"http://patchwork.ozlabs.org/api/1.2/people/589/?format=json","name":"Gerd Hoffmann","email":"kraxel@redhat.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/qemu-devel/patch/20260422092910.444997-4-kraxel@redhat.com/mbox/","series":[{"id":500953,"url":"http://patchwork.ozlabs.org/api/1.2/series/500953/?format=json","web_url":"http://patchwork.ozlabs.org/project/qemu-devel/list/?series=500953","date":"2026-04-22T09:29:03","name":"hw/uefi: a batch of security fixes","version":1,"mbox":"http://patchwork.ozlabs.org/series/500953/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2226111/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2226111/checks/","tags":{},"related":[],"headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256\n header.s=mimecast20190719 header.b=VR3KjFQu;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists1p.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g0v8v3Wgzz1yCv\n\tfor ; Wed, 22 Apr 2026 19:30:39 +1000 (AEST)","from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists1p.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from )\n\tid 1wFTta-000421-Lo; Wed, 22 Apr 2026 05:29:22 -0400","from eggs.gnu.org ([2001:470:142:3::10])\n by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from ) id 1wFTtZ-00041s-FX\n for qemu-devel@nongnu.org; Wed, 22 Apr 2026 05:29:21 -0400","from us-smtp-delivery-124.mimecast.com ([170.10.129.124])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from ) id 1wFTtX-0007no-Sk\n for qemu-devel@nongnu.org; Wed, 22 Apr 2026 05:29:21 -0400","from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com\n (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by\n relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,\n cipher=TLS_AES_256_GCM_SHA384) id us-mta-643-DoMbSNUkPw62ymltfNTwWw-1; Wed,\n 22 Apr 2026 05:29:16 -0400","from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com\n (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS\n id 518D118005B6; Wed, 22 Apr 2026 09:29:15 +0000 (UTC)","from sirius.home.kraxel.org (unknown [10.44.48.53])\n by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with\n ESMTPS\n id D7F0A3000C15; Wed, 22 Apr 2026 09:29:14 +0000 (UTC)","by sirius.home.kraxel.org (Postfix, from userid 1000)\n id 4AFCA180102C; Wed, 22 Apr 2026 11:29:10 +0200 (CEST)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;\n s=mimecast20190719; t=1776850159;\n h=from:from:reply-to:subject:subject:date:date:message-id:message-id:\n to:to:cc:cc:mime-version:mime-version:\n content-transfer-encoding:content-transfer-encoding:\n in-reply-to:in-reply-to:references:references;\n bh=yZNnNmLB5m+01rMbrAyCUvbYI4Dbe4PiimvOk1+8swY=;\n b=VR3KjFQuNATnjLiA8EEc5C+hCDHZJ8Oftqjg6ILdoVzmGmRRES1Ee8N41c03TveDvpZN0K\n bMXWq0dg9h7vnf+gUe59/aOCqvJl0J77r3E1wcU4V9J+PtaopOz1jIgVnEZcGSeTKsc/P/\n 0Dn+r4AH4ZFiO5K7SawS9iwaDNvmpI0=","X-MC-Unique":"DoMbSNUkPw62ymltfNTwWw-1","X-Mimecast-MFC-AGG-ID":"DoMbSNUkPw62ymltfNTwWw_1776850155","From":"Gerd Hoffmann ","To":"qemu-devel@nongnu.org","Cc":"Gerd Hoffmann ,\n Katherine Leaver ","Subject":"[PATCH 3/6] hw/uefi: fix ucs2 string helper functions","Date":"Wed, 22 Apr 2026 11:29:06 +0200","Message-ID":"<20260422092910.444997-4-kraxel@redhat.com>","In-Reply-To":"<20260422092910.444997-1-kraxel@redhat.com>","References":"<20260422092910.444997-1-kraxel@redhat.com>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","X-Scanned-By":"MIMEDefang 3.4.1 on 10.30.177.4","Received-SPF":"pass client-ip=170.10.129.124; envelope-from=kraxel@redhat.com;\n helo=us-smtp-delivery-124.mimecast.com","X-Spam_score_int":"-20","X-Spam_score":"-2.1","X-Spam_bar":"--","X-Spam_report":"(-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001,\n DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,\n RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001,\n SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no","X-Spam_action":"no action","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"qemu development ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org"},"content":"The length passed in is in bytes not characters. Rename the\nparameters to make that clear. Calculate the number of chars\nif needed. Fix length checks to use the number of chars not\nbytes to avoid OOB reads.\n\nFixes: CVE-2026-41437\nFixes: 1ebc319c8ca7 (\"hw/uefi: add var-service-utils.c\")\nReported-by: Katherine Leaver \nSigned-off-by: Gerd Hoffmann \n---\n hw/uefi/var-service-utils.c | 42 +++++++++++++++++++++----------------\n 1 file changed, 24 insertions(+), 18 deletions(-)","diff":"diff --git a/hw/uefi/var-service-utils.c b/hw/uefi/var-service-utils.c\nindex 258013f436af..489321a26ccb 100644\n--- a/hw/uefi/var-service-utils.c\n+++ b/hw/uefi/var-service-utils.c\n@@ -19,13 +19,18 @@\n * sometimes when they are not (for example in variable policies).\n */\n \n-gboolean uefi_str_is_valid(const uint16_t *str, size_t len,\n+gboolean uefi_str_is_valid(const uint16_t *str, size_t bytes,\n gboolean must_be_null_terminated)\n {\n+ size_t chars = bytes / 2;\n size_t pos = 0;\n \n+ if ((bytes % 2) != 0) {\n+ return false;\n+ }\n+\n for (;;) {\n- if (pos == len) {\n+ if (pos == chars) {\n if (must_be_null_terminated) {\n return false;\n } else {\n@@ -47,12 +52,13 @@ gboolean uefi_str_is_valid(const uint16_t *str, size_t len,\n }\n }\n \n-size_t uefi_strlen(const uint16_t *str, size_t len)\n+size_t uefi_strlen(const uint16_t *str, size_t bytes)\n {\n+ size_t chars = bytes / 2;\n size_t pos = 0;\n \n for (;;) {\n- if (pos == len) {\n+ if (pos == chars) {\n return pos;\n }\n if (str[pos] == 0) {\n@@ -62,25 +68,25 @@ size_t uefi_strlen(const uint16_t *str, size_t len)\n }\n }\n \n-gboolean uefi_str_equal_ex(const uint16_t *a, size_t alen,\n- const uint16_t *b, size_t blen,\n+gboolean uefi_str_equal_ex(const uint16_t *a, size_t a_bytes,\n+ const uint16_t *b, size_t b_bytes,\n gboolean wildcards_in_a)\n {\n+ size_t a_chars = a_bytes / 2;\n+ size_t b_chars = b_bytes / 2;\n size_t pos = 0;\n \n- alen = alen / 2;\n- blen = blen / 2;\n for (;;) {\n- if (pos == alen && pos == blen) {\n+ if (pos == a_chars && pos == b_chars) {\n return true;\n }\n- if (pos == alen && b[pos] == 0) {\n+ if (pos == a_chars && b[pos] == 0) {\n return true;\n }\n- if (pos == blen && a[pos] == 0) {\n+ if (pos == b_chars && a[pos] == 0) {\n return true;\n }\n- if (pos == alen || pos == blen) {\n+ if (pos == a_chars || pos == b_chars) {\n return false;\n }\n if (a[pos] == 0 && b[pos] == 0) {\n@@ -100,18 +106,18 @@ gboolean uefi_str_equal_ex(const uint16_t *a, size_t alen,\n }\n }\n \n-gboolean uefi_str_equal(const uint16_t *a, size_t alen,\n- const uint16_t *b, size_t blen)\n+gboolean uefi_str_equal(const uint16_t *a, size_t a_bytes,\n+ const uint16_t *b, size_t b_bytes)\n {\n- return uefi_str_equal_ex(a, alen, b, blen, false);\n+ return uefi_str_equal_ex(a, a_bytes, b, b_bytes, false);\n }\n \n-char *uefi_ucs2_to_ascii(const uint16_t *ucs2, uint64_t ucs2_size)\n+char *uefi_ucs2_to_ascii(const uint16_t *ucs2, uint64_t ucs2_bytes)\n {\n- char *str = g_malloc0(ucs2_size / 2 + 1);\n+ char *str = g_malloc0(ucs2_bytes / 2 + 1);\n int i;\n \n- for (i = 0; i * 2 < ucs2_size; i++) {\n+ for (i = 0; i * 2 < ucs2_bytes; i++) {\n if (ucs2[i] == 0) {\n break;\n }\n","prefixes":["3/6"]}