From: Lennart Poettering Date: Thu, 12 Mar 2026 13:31:42 +0000 (+0100) Subject: pcrlock: don't accept PCRs > 23 from firmware event log X-Git-Tag: v260-rc3~3^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c248d6a409455cafd49598a86853b9416b57605c;p=thirdparty%2Fsystemd.git pcrlock: don't accept PCRs > 23 from firmware event log Let's harden ourselves against shitty firmware which might report an invalid PCR. (This is not really a security issue, more a robustness issue, after all firmware generally comes with highest privileges and trust, even though it might just be shit) Fixes an issue found with Claude code review --- diff --git a/src/pcrlock/pcrlock.c b/src/pcrlock/pcrlock.c index acf68d698b9..2d3c0862615 100644 --- a/src/pcrlock/pcrlock.c +++ b/src/pcrlock/pcrlock.c @@ -949,6 +949,11 @@ static int event_log_load_firmware(EventLog *el) { continue; } + if (event->pcrIndex >= TPM2_PCRS_MAX) { + log_debug("Skipping event on PCR %" PRIu32 " (out of range).", event->pcrIndex); + continue; + } + r = event_log_add_record(el, &record); if (r < 0) return log_error_errno(r, "Failed to add record to event log: %m");