From: Syed Mohammed Nayyar <jmestwa@gmail.com>
Date: Thu, 25 Jun 2026 16:46:03 +0000 (+0530)
Subject: pcrlock: reject device path node shorter than its header
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d2a704388f846f2b3d3550c19ce7af0e9dc360b0;p=thirdparty%2Fsystemd.git

pcrlock: reject device path node shorter than its header

event_log_record_extract_firmware_description() walks the device path
of a UEFI_IMAGE_LOAD_EVENT taken from the firmware TPM2 measurement log.
The per-node loop checks the remaining bytes against the node and its
declared length, but never that dp->length covers the 4-byte node header
offsetof(packed_EFI_DEVICE_PATH, path).

For a Media/File-Path node with length 3, the file-name extraction
computes dp->length - offsetof(packed_EFI_DEVICE_PATH, path) == 3 - 4,
which wraps to SIZE_MAX. utf16_to_utf8() treats SIZE_MAX as unbounded
and runs char16_strlen() over dp->path, reading past the log buffer; a
length of 0 also leaves dp non-advancing.

efi_get_boot_option() in src/shared/efi-api.c already rejects such nodes
with "if (dpath->length < 4) break;"; do the same here.
---

diff --git a/src/pcrlock/pcrlock.c b/src/pcrlock/pcrlock.c
index 53b9b8a1551..8b4ebceeb65 100644
--- a/src/pcrlock/pcrlock.c
+++ b/src/pcrlock/pcrlock.c
@@ -837,7 +837,9 @@ static int event_log_record_extract_firmware_description(EventLogRecord *rec) {
                                 goto invalid;
                         }
 
-                        if (left < offsetof(packed_EFI_DEVICE_PATH, path) || left < dp->length) {
+                        if (left < offsetof(packed_EFI_DEVICE_PATH, path) ||
+                            dp->length < offsetof(packed_EFI_DEVICE_PATH, path) ||
+                            left < dp->length) {
                                 log_warning("Device path element too short, ignoring.");
                                 goto invalid;
                         }