ACK: [PATCH 4/5] efi_runtime: get_nextvariable: copy only the needed name bytes
Alex Hung
alex.hung at canonical.com
Mon Mar 2 02:52:31 UTC 2015
On 02/06/2015 11:50 AM, Ricardo Neri wrote:
> We trust the name_size passed by the user_space. Thus, there is not
> need to copy from user more bytes than specified.
>
> Furthermore, this behavior could mask potential problems in the
> firmware: to start traversing the list of variable names, some firmware
> implementations may just blindly check if name[0] is '\0' without
> even checking if the size of the buffer passed by the operating system
> is at least 2 bytes (UEFI variable names are stored in strings of 2-byte
> characters). This behaviour is wrong as the firmware must not access
> memory beyond the name buffer. By providing a 1024-bytes buffer of
> zeroes we allow the name[0] == '\0' to pass, regardless of the size
> of the buffer.
>
> Signed-off-by: Ricardo Neri <ricardo.neri-calderon at linux.intel.com>
> ---
> efi_runtime/efi_runtime.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/efi_runtime/efi_runtime.c b/efi_runtime/efi_runtime.c
> index 4ef1754..786a1df 100644
> --- a/efi_runtime/efi_runtime.c
> +++ b/efi_runtime/efi_runtime.c
> @@ -457,7 +457,7 @@ static long efi_runtime_get_nextvariablename(unsigned long arg)
>
> rv = copy_ucs2_from_user_len(&name,
> pgetnextvariablename_local.VariableName,
> - 1024);
> + name_size);
> if (rv)
> return rv;
>
>
Acked-by: Alex Hung <alex.hung at canonical.com>
More information about the fwts-devel
mailing list