On 2/19/26 19:43, Vincent Stehlé wrote:
The test of the UEFI LocateHandleBuffer() function clears a returned buffer
at some point to reuse it, but there is an error in the size computation,
which leads to a buffer overflow; fix it.
Fixes: 927ca890b09f ("efi_selftest: test protocol management")
Signed-off-by: Vincent Stehlé <[email protected]>
Cc: Heinrich Schuchardt <[email protected]>
Cc: Ilias Apalodimas <[email protected]>
Cc: Tom Rini <[email protected]>
---
lib/efi_selftest/efi_selftest_manageprotocols.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/efi_selftest/efi_selftest_manageprotocols.c
b/lib/efi_selftest/efi_selftest_manageprotocols.c
index 097b2ae3545..ccffa59095d 100644
--- a/lib/efi_selftest/efi_selftest_manageprotocols.c
+++ b/lib/efi_selftest/efi_selftest_manageprotocols.c
@@ -241,7 +241,7 @@ static int execute(void)
return EFI_ST_FAILURE;
}
/* Clear the buffer, we are reusing it it the next step. */
- boottime->set_mem(buffer, sizeof(efi_handle_t) * buffer_size, 0);
+ boottime->set_mem(buffer, sizeof(efi_handle_t) * count, 0);
/*
* Test LocateHandle with ByProtocol
Hello Vincent,
Thank you for reviewing the code and pointing to an issue.
The fix looks incomplete to me:
In line 167 we allocate a buffer with LocateHandleBuffer(). Assigning
buffer_size in line 173 does not make any sense, as we free the buffer
in line 185.
In line 223 we allocate another buffer with LocateHandleBuffer().
Assigning the value of buffer_size value to count before the invocation
doesn't make much sense.
You fix in line 244 looks correct.
Line 249 sets count to an arbitrary value that is not related to the
size of the buffer.
Line 260 sets variable buffer_size and buffer_size is again used in line
306 to set count to an unused value.
We should completely remove variable buffer_size from the function.
Best regards
Heinrich
