efi_loader: Fix memory map size check to avoid out-of-bounds access
authorStefan Brüns <stefan.bruens@rwth-aachen.de>
Sun, 9 Oct 2016 20:17:07 +0000 (22:17 +0200)
committerAlexander Graf <agraf@suse.de>
Tue, 18 Oct 2016 07:08:07 +0000 (09:08 +0200)
commitbdf5c1b3607bd6384ac5319caad2d8107130ace1
treed7b697cd146911f5e717e9db6fa75a21de9d762c
parent852efbf5bd3047b12c1926564d792a7a1cea9eac
efi_loader: Fix memory map size check to avoid out-of-bounds access

The current efi_get_memory_map() function overwrites the map_size
property before reading its value. That way the sanity check whether our
memory map fits into the given array always succeeds, potentially
overwriting arbitrary payload memory.

This patch moves the property update write after its sanity check, so
that the check actually verifies the correct value.

So far this has not triggered any known bugs, but we're better off safe
than sorry.

If the buffer is to small, the returned memory_map_size indicates the
required size to the caller.

Signed-off-by: Stefan Brüns <stefan.bruens@rwth-aachen.de>
Reviewed-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
lib/efi_loader/efi_memory.c