From b33fd8ab1caa07aeb290ef5dac44a4e7fd4be02b Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Tue, 12 May 2026 08:05:23 +0200 Subject: [PATCH] hw/uefi: check auth.hdr_length minimum size MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit auth.hdr_length maximum is already checked (against buffer size). The header has some fixed fields which are included in the header length, so there also is a minimum size which must be verified. Add a check for that. Fixes possible integer underflow. While being at it replace the magic number '24' with sizeof calculations for better code documentation. Fixes: CVE-2026-8341 Fixes: f1488fac0584 ("hw/uefi: add var-service-auth.c") Reported-by: Feifan Qian Reviewed-by: Daniel P. Berrangé Signed-off-by: Gerd Hoffmann Message-ID: <20260512060523.17493-1-kraxel@redhat.com> --- hw/uefi/var-service-auth.c | 5 ++++- hw/uefi/var-service-pkcs7.c | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/hw/uefi/var-service-auth.c b/hw/uefi/var-service-auth.c index 795f2f54e4..f3dc9c6ca6 100644 --- a/hw/uefi/var-service-auth.c +++ b/hw/uefi/var-service-auth.c @@ -194,7 +194,7 @@ static efi_status uefi_vars_check_auth_2_sb(uefi_vars_state *uv, return EFI_SUCCESS; } - if (auth.hdr_length == 24) { + if (auth.hdr_length == (sizeof(auth) - sizeof(auth.timestamp))) { /* no signature (auth->cert_data is empty) */ return EFI_SECURITY_VIOLATION; } @@ -228,6 +228,9 @@ efi_status uefi_vars_check_auth_2(uefi_vars_state *uv, uefi_variable *var, } memcpy(&auth, data, sizeof(auth)); + if (auth.hdr_length < (sizeof(auth) - sizeof(auth.timestamp))) { + return EFI_SECURITY_VIOLATION; + } if (uadd64_overflow(sizeof(efi_time), auth.hdr_length, &data_offset)) { return EFI_SECURITY_VIOLATION; } diff --git a/hw/uefi/var-service-pkcs7.c b/hw/uefi/var-service-pkcs7.c index c859743e86..8a1f1395a2 100644 --- a/hw/uefi/var-service-pkcs7.c +++ b/hw/uefi/var-service-pkcs7.c @@ -113,9 +113,9 @@ static gnutls_datum_t *build_pkcs7(void *data) memcpy(&auth, data, sizeof(auth)); pkcs7 = g_new(gnutls_datum_t, 1); - pkcs7->size = auth.hdr_length - 24; + pkcs7->size = auth.hdr_length - (sizeof(auth) - sizeof(auth.timestamp)); pkcs7->data = g_malloc(pkcs7->size); - memcpy(pkcs7->data, data + 16 + 24, pkcs7->size); + memcpy(pkcs7->data, data + sizeof(auth), pkcs7->size); wrap_pkcs7(pkcs7);