From: Hans de Goede <johannes.goede@oss.qualcomm.com>
Date: Mon, 12 Jan 2026 13:56:36 +0000 (+0100)
Subject: stub: Fix NULL pointer deref when there are no initrds
X-Git-Tag: v260-rc1~411
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3f4279829eb6c15bdbc0d4252bbefe0c4fd9ec23;p=thirdparty%2Fsystemd.git

stub: Fix NULL pointer deref when there are no initrds

When n_all_initrds == 0, then all_initrds is unmodified from its initial
value of:

	_cleanup_free_ struct iovec *all_initrds = NULL;

and in the else block of the "if (n_all_initrds > 1)" the NULL is
dereferenced:

		final_initrd = all_initrds[0];

Leading to the stub crashing due to a NULL pointer deref.

Fix this by initializing final_initrd to all 0s and only
running the else block if (n_all_initrds == 1).
---

diff --git a/src/boot/stub.c b/src/boot/stub.c
index 06ecbc7d18f..65950262c69 100644
--- a/src/boot/stub.c
+++ b/src/boot/stub.c
@@ -1302,9 +1302,9 @@ static EFI_STATUS run(EFI_HANDLE image) {
 
         /* Combine the initrds into one */
         _cleanup_pages_ Pages initrd_pages = {};
-        struct iovec final_initrd;
+        struct iovec final_initrd = {};
         if (n_all_initrds > 1) {
-                /* There will always be a base initrd, if this counter is higher, we need to combine them */
+                /* If there is more then 1 initrd we need to combine them */
                 err = combine_initrds(all_initrds, n_all_initrds, &initrd_pages, &final_initrd.iov_len);
                 if (err != EFI_SUCCESS)
                         return err;
@@ -1313,7 +1313,7 @@ static EFI_STATUS run(EFI_HANDLE image) {
 
                 /* Given these might be large let's free them explicitly before we pass control to Linux */
                 initrds_free(&initrds);
-        } else
+        } else if (n_all_initrds == 1)
                 final_initrd = all_initrds[0];
 
         struct iovec kernel = IOVEC_MAKE(