From: tfg13 <tobifleig@gmail.com>
Date: Thu, 4 Jul 2024 18:08:55 +0000 (+0100)
Subject: stub: mem fixes in devicetree addon handling (#33624)
X-Git-Tag: v257-rc1~961
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=34c6d8fe40f0b796f05c3df91f21aa3e958504cb;p=thirdparty%2Fsystemd.git

stub: mem fixes in devicetree addon handling (#33624)

* stub: mem fixes in devicetree addon handling

Two bugs here: The elements are of size `DevicetreeAddon`, not `size_t`,
and `[]` binds stronger than `*`. This means the first element is ok,
but the second corrupts the stack.

Found this while refactoring #32463
---

diff --git a/src/boot/efi/stub.c b/src/boot/efi/stub.c
index 57f441c84bb..d48cbf2861b 100644
--- a/src/boot/efi/stub.c
+++ b/src/boot/efi/stub.c
@@ -463,10 +463,10 @@ static EFI_STATUS load_addons(
 
                 if (devicetree_addons && PE_SECTION_VECTOR_IS_SET(sections + UNIFIED_SECTION_DTB)) {
                         *devicetree_addons = xrealloc(*devicetree_addons,
-                                                      *n_devicetree_addons * sizeof(size_t),
-                                                      (*n_devicetree_addons + 1)  * sizeof(size_t));
+                                                      *n_devicetree_addons * sizeof(DevicetreeAddon),
+                                                      (*n_devicetree_addons + 1) * sizeof(DevicetreeAddon));
 
-                        *devicetree_addons[(*n_devicetree_addons)++] = (DevicetreeAddon) {
+                        (*devicetree_addons)[(*n_devicetree_addons)++] = (DevicetreeAddon) {
                                 .blob = {
                                         .iov_base = xmemdup((const uint8_t*) loaded_addon->ImageBase + sections[UNIFIED_SECTION_DTB].memory_offset, sections[UNIFIED_SECTION_DTB].size),
                                         .iov_len = sections[UNIFIED_SECTION_DTB].size,