mirror of
https://github.com/qemu/qemu.git
synced 2026-07-08 17:46:17 +00:00
hw/uefi: check auth.hdr_length minimum size
auth.hdr_length maximum is already checked (against buffer size). The
header has some fixed fields which are included in the header length, so
there also is a minimum size which must be verified. Add a check for
that. Fixes possible integer underflow.
While being at it replace the magic number '24' with sizeof calculations
for better code documentation.
Fixes: CVE-2026-8341
Fixes: f1488fac05 ("hw/uefi: add var-service-auth.c")
Reported-by: Feifan Qian <bea1e@proton.me>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-ID: <20260512060523.17493-1-kraxel@redhat.com>
This commit is contained in:
@@ -194,7 +194,7 @@ static efi_status uefi_vars_check_auth_2_sb(uefi_vars_state *uv,
|
||||
return EFI_SUCCESS;
|
||||
}
|
||||
|
||||
if (auth.hdr_length == 24) {
|
||||
if (auth.hdr_length == (sizeof(auth) - sizeof(auth.timestamp))) {
|
||||
/* no signature (auth->cert_data is empty) */
|
||||
return EFI_SECURITY_VIOLATION;
|
||||
}
|
||||
@@ -228,6 +228,9 @@ efi_status uefi_vars_check_auth_2(uefi_vars_state *uv, uefi_variable *var,
|
||||
}
|
||||
memcpy(&auth, data, sizeof(auth));
|
||||
|
||||
if (auth.hdr_length < (sizeof(auth) - sizeof(auth.timestamp))) {
|
||||
return EFI_SECURITY_VIOLATION;
|
||||
}
|
||||
if (uadd64_overflow(sizeof(efi_time), auth.hdr_length, &data_offset)) {
|
||||
return EFI_SECURITY_VIOLATION;
|
||||
}
|
||||
|
||||
@@ -113,9 +113,9 @@ static gnutls_datum_t *build_pkcs7(void *data)
|
||||
|
||||
memcpy(&auth, data, sizeof(auth));
|
||||
pkcs7 = g_new(gnutls_datum_t, 1);
|
||||
pkcs7->size = auth.hdr_length - 24;
|
||||
pkcs7->size = auth.hdr_length - (sizeof(auth) - sizeof(auth.timestamp));
|
||||
pkcs7->data = g_malloc(pkcs7->size);
|
||||
memcpy(pkcs7->data, data + 16 + 24, pkcs7->size);
|
||||
memcpy(pkcs7->data, data + sizeof(auth), pkcs7->size);
|
||||
|
||||
wrap_pkcs7(pkcs7);
|
||||
|
||||
|
||||
Reference in New Issue
Block a user