[Skiboot] [PATCH 1/7] secvar/backend: Don't overread short variables in validate

Thu Jul 1 22:41:00 AEST 2021

Fix an OOB read caught by our fuzzer.

It might be good future work to change function signatures to pass
some size data around explictly?

Signed-off-by: Daniel Axtens <dja at axtens.net>
---
 libstb/secvar/backend/edk2-compat.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libstb/secvar/backend/edk2-compat.c b/libstb/secvar/backend/edk2-compat.c
index 9e61fbc60ff9..bfa2659e526b 100644
--- a/libstb/secvar/backend/edk2-compat.c
+++ b/libstb/secvar/backend/edk2-compat.c
@@ -280,6 +280,9 @@ static int edk2_compat_validate(struct secvar *var)
 			&& !key_equals(var->key, "dbx"))
 		return OPAL_PARAMETER;
 
+	if (var->data_size < sizeof(struct efi_variable_authentication_2))
+		return OPAL_PARAMETER;
+
 	/* Check that signature type is PKCS7 */
 	if (!is_pkcs7_sig_format(var->data))
 		return OPAL_PARAMETER;
-- 
2.30.2

