efi_selftest: check for buffer overflow in efi_get_variable
authorIvan Gorinov <ivan.gorinov@intel.com>
Fri, 25 May 2018 17:45:09 +0000 (10:45 -0700)
committerAlexander Graf <agraf@suse.de>
Sun, 3 Jun 2018 13:27:21 +0000 (15:27 +0200)
Allocate a buffer on the stack instead of an array of uninitialized
pointers; check if GetVariable writes past the end of the buffer.

Signed-off-by: Ivan Gorinov <ivan.gorinov@intel.com>
Signed-off-by: Alexander Graf <agraf@suse.de>
lib/efi_selftest/efi_selftest_variables.c

index f5e8eb6231c92745506d613e354498a5b7c835a2..146378fb9a293909d56b3120450f824c31f89cb9 100644 (file)
@@ -49,7 +49,7 @@ static int execute(void)
        u32 attr;
        u8 v[16] = {0x5d, 0xd1, 0x5e, 0x51, 0x5a, 0x05, 0xc7, 0x0c,
                    0x35, 0x4a, 0xae, 0x87, 0xa5, 0xdf, 0x0f, 0x65,};
-       u8 *data[EFI_ST_MAX_DATA_SIZE];
+       u8 data[EFI_ST_MAX_DATA_SIZE];
        u16 varname[EFI_ST_MAX_VARNAME_SIZE];
        int flag;
        efi_guid_t guid;
@@ -72,6 +72,22 @@ static int execute(void)
                efi_st_error("SetVariable failed\n");
                return EFI_ST_FAILURE;
        }
+       data[3] = 0xff;
+       len = 3;
+       ret = runtime->get_variable(L"efi_st_var0", &guid_vendor0,
+                                   &attr, &len, data);
+       if (ret != EFI_SUCCESS) {
+               efi_st_error("GetVariable failed\n");
+               return EFI_ST_FAILURE;
+       }
+       if (efi_st_memcmp(data, v + 4, 3)) {
+               efi_st_error("GetVariable returned wrong value\n");
+               return EFI_ST_FAILURE;
+       }
+       if (data[3] != 0xff) {
+               efi_st_error("GetVariable wrote past the end of the buffer\n");
+               return EFI_ST_FAILURE;
+       }
        /* Set variable 1 */
        ret = runtime->set_variable(L"efi_st_var1", &guid_vendor1,
                                    EFI_VARIABLE_BOOTSERVICE_ACCESS,