From 60ff3d950996c2ea0bb744fd9c922a96abc65774 Mon Sep 17 00:00:00 2001
From: Vincent Stehlé <vincent.stehle@arm.com>
Date: Thu, 11 Jun 2026 08:59:50 +0200
Subject: efi_selftest: fix use-after-free
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When the `memory' efi selftest verifies the Devicetree memory reservation,
it accesses the memory_map buffer after it has been freed with free_pool().
Move the verification earlier to fix this.

Fixes: 34c96659ed57 ("efi_selftest: check fdt is marked as runtime data")
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>
Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Cc: Tom Rini <trini@konsulko.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
---
 lib/efi_selftest/efi_selftest_memory.c | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/lib/efi_selftest/efi_selftest_memory.c b/lib/efi_selftest/efi_selftest_memory.c
index 7320964c129..450470ceedd 100644
--- a/lib/efi_selftest/efi_selftest_memory.c
+++ b/lib/efi_selftest/efi_selftest_memory.c
@@ -155,6 +155,15 @@ static int execute(void)
 			       EFI_RUNTIME_SERVICES_DATA) != EFI_ST_SUCCESS)
 		return EFI_ST_FAILURE;
 
+	/* Check memory reservation for the device tree */
+	if (fdt_addr &&
+	    find_in_memory_map(map_size, memory_map, desc_size, fdt_addr,
+			       EFI_ACPI_RECLAIM_MEMORY) != EFI_ST_SUCCESS) {
+		efi_st_error
+			("Device tree not marked as ACPI reclaim memory\n");
+		return EFI_ST_FAILURE;
+	}
+
 	/* Free memory */
 	ret = boottime->free_pages(p1, EFI_ST_NUM_PAGES);
 	if (ret != EFI_SUCCESS) {
@@ -172,14 +181,6 @@ static int execute(void)
 		return EFI_ST_FAILURE;
 	}
 
-	/* Check memory reservation for the device tree */
-	if (fdt_addr &&
-	    find_in_memory_map(map_size, memory_map, desc_size, fdt_addr,
-			       EFI_ACPI_RECLAIM_MEMORY) != EFI_ST_SUCCESS) {
-		efi_st_error
-			("Device tree not marked as ACPI reclaim memory\n");
-		return EFI_ST_FAILURE;
-	}
 	return EFI_ST_SUCCESS;
 }
 
-- 
cgit v1.3.1