diff options
| author | Daniel Axtens <dja@axtens.net> | 2021-07-21 14:00:28 +1000 |
|---|---|---|
| committer | Vasant Hegde <hegdevasant@linux.vnet.ibm.com> | 2021-07-22 11:26:34 +0530 |
| commit | e58ccbdf1c7d259cbac06105b194b06be849f961 (patch) | |
| tree | d226c7a849356afa4c2929b1b02702a38ecb57ec /libstb/secvar/backend/edk2-compat-process.c | |
| parent | af351fe7941da32e8f7c801edb56683a95c6280c (diff) | |
| download | skiboot-e58ccbdf1c7d259cbac06105b194b06be849f961.zip skiboot-e58ccbdf1c7d259cbac06105b194b06be849f961.tar.gz skiboot-e58ccbdf1c7d259cbac06105b194b06be849f961.tar.bz2 | |
secvar/backend: fix an integer underflow bug
[ Upstream commit 0c265ace91b9d9ee08e09392a7d4a78a1301a3ab ]
If a declared size is smaller than uuid size, we end up allocating
with an allocation of a 'negative' number, which is a huge 64 bit
number.
This will probably then fail with an OPAL_NO_MEM, but it will be
better to catch it and return OPAL_PARAMETER instead.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Nayna Jain <nayna@linux.ibm.com>
Tested-by: Nayna Jain <nayna@linux.ibm.com>
Signed-off-by: Vasant Hegde <hegdevasant@linux.vnet.ibm.com>
Diffstat (limited to 'libstb/secvar/backend/edk2-compat-process.c')
| -rw-r--r-- | libstb/secvar/backend/edk2-compat-process.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/libstb/secvar/backend/edk2-compat-process.c b/libstb/secvar/backend/edk2-compat-process.c index 99fe106..c5113b7 100644 --- a/libstb/secvar/backend/edk2-compat-process.c +++ b/libstb/secvar/backend/edk2-compat-process.c @@ -123,6 +123,9 @@ static int get_esl_cert(const char *buf, const size_t buflen, char **cert) assert(cert != NULL); + if (le32_to_cpu(list->SignatureSize) <= sizeof(uuid_t)) + return OPAL_PARAMETER; + size = le32_to_cpu(list->SignatureSize) - sizeof(uuid_t); prlog(PR_DEBUG,"size of signature list size is %u\n", |