[Skiboot] [PATCH 3/7] secvar/backend: fix an integer underflow bug

Thu Jul 1 22:41:02 AEST 2021

If a declared size is smaller than uuid size, we end up allocating
with an allocation of a 'negative' number, which is a huge 64 bit
number.

Signed-off-by: Daniel Axtens <dja at axtens.net>
---
 libstb/secvar/backend/edk2-compat-process.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libstb/secvar/backend/edk2-compat-process.c b/libstb/secvar/backend/edk2-compat-process.c
index ab8efd9b2573..edbb588899c8 100644
--- a/libstb/secvar/backend/edk2-compat-process.c
+++ b/libstb/secvar/backend/edk2-compat-process.c
@@ -128,6 +128,9 @@ static int get_esl_cert(const char *buf, const size_t buflen, char **cert)
 
 	assert(cert != NULL);
 
+	if (le32_to_cpu(list->SignatureSize) <= sizeof(uuid_t))
+		return OPAL_PARAMETER;
+
 	size = le32_to_cpu(list->SignatureSize) - sizeof(uuid_t);
 
 	prlog(PR_DEBUG,"size of signature list size is %u\n",
-- 
2.30.2

