38 lines
1.3 KiB
Diff
38 lines
1.3 KiB
Diff
From ac610fe45491deccaab2c4ee689cbbdac117930a Mon Sep 17 00:00:00 2001
|
|
From: Javier Martinez Canillas <javierm@redhat.com>
|
|
Date: Tue, 8 Sep 2020 12:26:45 +0200
|
|
Subject: [PATCH] Fix buffer overrun due DEFAULT_LOADER length miscalculation
|
|
|
|
The DEFAULT_LOADER is a UCS-2 string and the StrLen() function returns the
|
|
number of UCS-2 encoded characters in the string. But the allocated memory
|
|
is in bytes, so only half of the needed memory to store it is allocated.
|
|
|
|
This leads to a buffer overrun when the StrCpy() function attempts to copy
|
|
the DEFAULT_LOADER to the allocated buffer.
|
|
|
|
Fixes: 354bd9b1931 ("Actually check for errors from set_second_stage()")
|
|
Reported-by: Stuart Hayes <stuart_hayes@dell.com>
|
|
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
|
---
|
|
shim.c | 3 ++-
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/shim.c b/shim.c
|
|
index 34dce25c330..82913c934f6 100644
|
|
--- a/shim.c
|
|
+++ b/shim.c
|
|
@@ -2096,8 +2096,9 @@ EFI_STATUS set_second_stage (EFI_HANDLE image_handle)
|
|
unsigned int i;
|
|
UINTN second_stage_len;
|
|
|
|
- second_stage_len = StrLen(DEFAULT_LOADER) + 1;
|
|
+ second_stage_len = (StrLen(DEFAULT_LOADER) + 1) * sizeof(CHAR16);
|
|
second_stage = AllocatePool(second_stage_len);
|
|
+
|
|
if (!second_stage) {
|
|
perror(L"Could not allocate %lu bytes\n", second_stage_len);
|
|
return EFI_OUT_OF_RESOURCES;
|
|
--
|
|
2.28.0
|
|
|