git.ipfire.org Git - thirdparty/ipxe.git/commit

author	Michael Brown <mcb30@ipxe.org>
	Mon, 26 Oct 2020 15:10:18 +0000 (15:10 +0000)
committer	Michael Brown <mcb30@ipxe.org>
	Mon, 26 Oct 2020 15:24:00 +0000 (15:24 +0000)
commit	5b41b9a80ffb365376d8d522675a8d248a8717ab
tree	74a87587b08135b0694b29c981671467ada3acc5	tree
parent	86c6c79fcdc00fef78373d3f0d35cb749d6b6772	commit \| diff

[efi] Nullify interfaces and leak memory on uninstallation failure

The UEFI specification allows uninstallation of a protocol interface
to fail. There is no sensible way for code to react to this, since
uninstallation is likely to be taking place on a code path that cannot
itself fail (e.g. a code path that is itself a failure path).

Where the protocol structure exists within a dynamically allocated
block of memory, this leads to possible use-after-free bugs. Work
around this unfortunate design choice by nullifying the protocol
(i.e. overwriting the method pointers with no-ops) and leaking the
memory containing the protocol structure.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

src/include/ipxe/efi/efi_null.h	[new file with mode: 0644]	blob
src/include/ipxe/efi/efi_snp.h		diff \| blob \| blame \| history
src/interface/efi/efi_block.c		diff \| blob \| blame \| history
src/interface/efi/efi_null.c	[new file with mode: 0644]	blob
src/interface/efi/efi_pxe.c		diff \| blob \| blame \| history
src/interface/efi/efi_snp.c		diff \| blob \| blame \| history
src/interface/efi/efi_snp_hii.c		diff \| blob \| blame \| history