On Wed, 11 Mar 2026 at 19:30, Heinrich Schuchardt <[email protected]> wrote: > > The value of buf->length comes from outside U-Boot and may be incorrect. > We must avoid to overrun our internal buffer for excessive values. > > If buf->length is shorter than the variable file header, the variable > file is invalid. > > Signed-off-by: Heinrich Schuchardt <[email protected]> > ---
Reviewed-by: Ilias Apalodimas <[email protected]> > lib/efi_loader/efi_var_common.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/lib/efi_loader/efi_var_common.c b/lib/efi_loader/efi_var_common.c > index 5ea1688dca3..c89a4fce4ff 100644 > --- a/lib/efi_loader/efi_var_common.c > +++ b/lib/efi_loader/efi_var_common.c > @@ -497,6 +497,8 @@ efi_status_t efi_var_restore(struct efi_var_file *buf, > bool safe) > efi_status_t ret; > > if (buf->reserved || buf->magic != EFI_VAR_FILE_MAGIC || > + buf->length > EFI_VAR_BUF_SIZE || > + buf->length < sizeof(struct efi_var_file) || > buf->crc32 != crc32(0, (u8 *)buf->var, > buf->length - sizeof(struct efi_var_file))) { > log_err("Invalid EFI variables file\n"); > -- > 2.53.0 >
