From e58ccbdf1c7d259cbac06105b194b06be849f961 Mon Sep 17 00:00:00 2001
From: Daniel Axtens <dja@axtens.net>
Date: Wed, 21 Jul 2021 14:00:28 +1000
Subject: secvar/backend: fix an integer underflow bug

[ Upstream commit 0c265ace91b9d9ee08e09392a7d4a78a1301a3ab ]

If a declared size is smaller than uuid size, we end up allocating
with an allocation of a 'negative' number, which is a huge 64 bit
number.

This will probably then fail with an OPAL_NO_MEM, but it will be
better to catch it and return OPAL_PARAMETER instead.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Nayna Jain <nayna@linux.ibm.com>
Tested-by: Nayna Jain <nayna@linux.ibm.com>
Signed-off-by: Vasant Hegde <hegdevasant@linux.vnet.ibm.com>
---
 libstb/secvar/backend/edk2-compat-process.c | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'libstb/secvar/backend/edk2-compat-process.c')

diff --git a/libstb/secvar/backend/edk2-compat-process.c b/libstb/secvar/backend/edk2-compat-process.c
index 99fe106..c5113b7 100644
--- a/libstb/secvar/backend/edk2-compat-process.c
+++ b/libstb/secvar/backend/edk2-compat-process.c
@@ -123,6 +123,9 @@ static int get_esl_cert(const char *buf, const size_t buflen, char **cert)
 
 	assert(cert != NULL);
 
+	if (le32_to_cpu(list->SignatureSize) <= sizeof(uuid_t))
+		return OPAL_PARAMETER;
+
 	size = le32_to_cpu(list->SignatureSize) - sizeof(uuid_t);
 
 	prlog(PR_DEBUG,"size of signature list size is %u\n",
-- 
cgit v1.1