Make sure the total variable_policy_entry size stays below
64k so the (16-bit) size field can not wrap.
Fixes: CVE-2026-41438
Fixes: db1ecfb473ac ("hw/uefi: add var-service-vars.c")
Reported-by: Katherine Leaver <[email protected]>
Signed-off-by: Gerd Hoffmann <[email protected]>
Message-ID: <[email protected]>
---
hw/uefi/var-service-vars.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/hw/uefi/var-service-vars.c b/hw/uefi/var-service-vars.c
index 24e6516a9cc0..2c83130ebf63 100644
--- a/hw/uefi/var-service-vars.c
+++ b/hw/uefi/var-service-vars.c
@@ -667,6 +667,9 @@ uefi_vars_mm_lock_variable(uefi_vars_state *uv, mm_header
*mhdr,
if (mhdr->length < length) {
return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE);
}
+ if (sizeof(*pe) + lv->name_size > UINT16_MAX) {
+ return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE);
+ }
uefi_trace_variable(__func__, lv->guid, name, lv->name_size);
--
2.54.0
