From: Kory Maincent (TI.com) <kory.maincent@bootlin.com>
Date: Tue, 4 Nov 2025 09:58:01 +0000 (+0100)
Subject: qfw: Fix segfault from uninitialized variables in sandbox
X-Git-Tag: v2026.01-rc3~26
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=664cdc5fd524db0c09c1200e89e65207a3b772a4;p=thirdparty%2Fu-boot.git

qfw: Fix segfault from uninitialized variables in sandbox

There are cases where qfw_read_entry() does not set the output parameter
passed by address. This occurs with qfw_sandbox_read_entry_dma, which
leaves the size variables uninitialized and causes a segfault when running
bootflow scan in U-Boot sandbox.

$ ./u-boot
...
U-Boot 2026.01-rc1-00199-gc2637036b8f0 (Nov 04 2025 - 10:32:21 +0100)
...
Hit any key to stop autoboot: 0
=> bootflow scan
     efi_var_to_file() Cannot persist EFI variables without system partition
   efi_tcg2_register() Missing TPMv2 device for EFI_TCG_PROTOCOL
    efi_rng_register() Missing RNG device for EFI_RNG_PROTOCOL
scanning bus for devices...
[3]    1015761 segmentation fault (core dumped)  ./u-boot

Initalize all these variables to 0 to fix this issue.

Signed-off-by: Kory Maincent (TI.com) <kory.maincent@bootlin.com>
---

diff --git a/common/qfw.c b/common/qfw.c
index 45e87d3ae28..14d48952427 100644
--- a/common/qfw.c
+++ b/common/qfw.c
@@ -109,7 +109,7 @@ int qemu_fwcfg_setup_kernel(struct udevice *qfw_dev, ulong load_addr,
 			    ulong initrd_addr)
 {
 	char *data_addr;
-	u32 setup_size, kernel_size, cmdline_size, initrd_size;
+	u32 setup_size = 0, kernel_size = 0, cmdline_size = 0, initrd_size = 0;
 
 	qfw_read_entry(qfw_dev, FW_CFG_SETUP_SIZE, 4, &setup_size);
 	qfw_read_entry(qfw_dev, FW_CFG_KERNEL_SIZE, 4, &kernel_size);