From: Gerd Hoffmann <[email protected]>
Make sure the total variable_policy_entry size stays below
64k so the (16-bit) size field can not wrap.
Fixes: CVE-2026-41438
Fixes: db1ecfb473ac ("hw/uefi: add var-service-vars.c")
Reported-by: Katherine Leaver <[email protected]>
Signed-off-by: Gerd Hoffmann <[email protected]>
Message-ID: <[email protected]>
(cherry picked from commit c45b460d16f991ff3f753623f3423e1adc4077a2)
Signed-off-by: Michael Tokarev <[email protected]>
diff --git a/hw/uefi/var-service-vars.c b/hw/uefi/var-service-vars.c
index 82ff4e429a..ef8a3db873 100644
--- a/hw/uefi/var-service-vars.c
+++ b/hw/uefi/var-service-vars.c
@@ -629,6 +629,9 @@ uefi_vars_mm_lock_variable(uefi_vars_state *uv, mm_header
*mhdr,
if (mhdr->length < length) {
return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE);
}
+ if (sizeof(*pe) + lv->name_size > UINT16_MAX) {
+ return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE);
+ }
uefi_trace_variable(__func__, lv->guid, name, lv->name_size);
--
2.47.3
