[PATCH] uservars: Catch out-of-bound datalen
4 views
Skip to first unread message
Jan Kiszka
Jun 3, 2026, 12:01:47 PMJun 3
to EFI Boot Guard
From: Jan Kiszka <jan.k...@siemens.com>
Callers of bgenv_set_uservar() are expected to stay way below UINT32_MAX
with their data len, validating it on their own if it could be
controlled by a third party. However, we should still provide a proper
error instead of overrunning in the size calculation.
Reported-by: 0x5t4l1n (github)
Signed-off-by: Jan Kiszka <jan.k...@siemens.com>
---
env/uservars.c | 7 +++++--
tools/tests/test_ebgenv_api_internal.c | 4 ++++
2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/env/uservars.c b/env/uservars.c
index 2fafa7d..d7f4bbe 100644
--- a/env/uservars.c
+++ b/env/uservars.c
@@ -209,11 +209,14 @@ int bgenv_get_uservar(uint8_t *udata, const char *key, uint64_t *type,
int bgenv_set_uservar(uint8_t *udata, const char *key, uint64_t type,
const void *data, uint32_t datalen)
{
- uint32_t total_size;
+ uint64_t total_size;
uint8_t *p;
- total_size = datalen + sizeof(uint64_t) + sizeof(uint32_t) +
+ total_size = (uint64_t)datalen + sizeof(uint64_t) + sizeof(uint32_t) +
strlen(key) + 1;
+ if (total_size > UINT32_MAX) {
+ return -EINVAL;
+ }
p = bgenv_find_uservar(udata, key);
if (p) {
diff --git a/tools/tests/test_ebgenv_api_internal.c b/tools/tests/test_ebgenv_api_internal.c
index d7c6189..9c174f6 100644
--- a/tools/tests/test_ebgenv_api_internal.c
+++ b/tools/tests/test_ebgenv_api_internal.c
@@ -427,6 +427,10 @@ START_TEST(ebgenv_api_internal_uservars)
}
}
+ res = bgenv_set(handle, "myvar2", USERVAR_TYPE_STRING_ASCII, "",
+ UINT32_MAX);
+ ck_assert_int_eq(res, -EINVAL);
+
write_env_fake.call_count = 0;
bgenv_close(handle);
--
2.47.3
Callers of bgenv_set_uservar() are expected to stay way below UINT32_MAX
with their data len, validating it on their own if it could be
controlled by a third party. However, we should still provide a proper
error instead of overrunning in the size calculation.
Reported-by: 0x5t4l1n (github)
Signed-off-by: Jan Kiszka <jan.k...@siemens.com>
---
env/uservars.c | 7 +++++--
tools/tests/test_ebgenv_api_internal.c | 4 ++++
2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/env/uservars.c b/env/uservars.c
index 2fafa7d..d7f4bbe 100644
--- a/env/uservars.c
+++ b/env/uservars.c
@@ -209,11 +209,14 @@ int bgenv_get_uservar(uint8_t *udata, const char *key, uint64_t *type,
int bgenv_set_uservar(uint8_t *udata, const char *key, uint64_t type,
const void *data, uint32_t datalen)
{
- uint32_t total_size;
+ uint64_t total_size;
uint8_t *p;
- total_size = datalen + sizeof(uint64_t) + sizeof(uint32_t) +
+ total_size = (uint64_t)datalen + sizeof(uint64_t) + sizeof(uint32_t) +
strlen(key) + 1;
+ if (total_size > UINT32_MAX) {
+ return -EINVAL;
+ }
p = bgenv_find_uservar(udata, key);
if (p) {
diff --git a/tools/tests/test_ebgenv_api_internal.c b/tools/tests/test_ebgenv_api_internal.c
index d7c6189..9c174f6 100644
--- a/tools/tests/test_ebgenv_api_internal.c
+++ b/tools/tests/test_ebgenv_api_internal.c
@@ -427,6 +427,10 @@ START_TEST(ebgenv_api_internal_uservars)
}
}
+ res = bgenv_set(handle, "myvar2", USERVAR_TYPE_STRING_ASCII, "",
+ UINT32_MAX);
+ ck_assert_int_eq(res, -EINVAL);
+
write_env_fake.call_count = 0;
bgenv_close(handle);
--
2.47.3
Reply all
Reply to author
Forward
0 new messages