auth.hdr_length maximum is already checked (against buffer size). The
header has some fixed fields which are included in the header length, so
there also is a minimum size which must be verified. Add a check for
that. Fixes possible integer underflow.
While being at it replace the magic number '24' with sizeof calculations
for better code documentation.
Fixes: CVE-2026-8341
Fixes: f1488fac0584 ("hw/uefi: add var-service-auth.c")
Reported-by: Feifan Qian <bea1e@proton.me>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-ID: <
20260512060523.17493-1-kraxel@redhat.com>
return EFI_SUCCESS;
}
- if (auth.hdr_length == 24) {
+ if (auth.hdr_length == (sizeof(auth) - sizeof(auth.timestamp))) {
/* no signature (auth->cert_data is empty) */
return EFI_SECURITY_VIOLATION;
}
}
memcpy(&auth, data, sizeof(auth));
+ if (auth.hdr_length < (sizeof(auth) - sizeof(auth.timestamp))) {
+ return EFI_SECURITY_VIOLATION;
+ }
if (uadd64_overflow(sizeof(efi_time), auth.hdr_length, &data_offset)) {
return EFI_SECURITY_VIOLATION;
}
memcpy(&auth, data, sizeof(auth));
pkcs7 = g_new(gnutls_datum_t, 1);
- pkcs7->size = auth.hdr_length - 24;
+ pkcs7->size = auth.hdr_length - (sizeof(auth) - sizeof(auth.timestamp));
pkcs7->data = g_malloc(pkcs7->size);
- memcpy(pkcs7->data, data + 16 + 24, pkcs7->size);
+ memcpy(pkcs7->data, data + sizeof(auth), pkcs7->size);
wrap_pkcs7(pkcs7);
projects / thirdparty / qemu.git / commitdiff
