From 1f5c8eac2f299bd3a2fc748b068acbb4b90d592d Mon Sep 17 00:00:00 2001 From: Ilias Apalodimas Date: Fri, 19 Jun 2026 11:38:29 +0300 Subject: efi_loader: fix memory leak in efi_var_collect Barebox has now ported some of the UEFI code. In the process they found some bugs. In this case when the variable buffer is too small, efi_var_collect() returns EFI_BUFFER_TOO_SMALL but doesn't free the allocated 'buf'. Fixes: 5f7dcf079de8c ("efi_loader: UEFI variable persistence") Signed-off-by: Ilias Apalodimas Reviewed-by: Heinrich Schuchardt --- lib/efi_loader/efi_var_common.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'lib/efi_loader') diff --git a/lib/efi_loader/efi_var_common.c b/lib/efi_loader/efi_var_common.c index d63c2d1b1cd..e51b21fe0b0 100644 --- a/lib/efi_loader/efi_var_common.c +++ b/lib/efi_loader/efi_var_common.c @@ -446,8 +446,10 @@ efi_status_t __maybe_unused efi_var_collect(struct efi_var_file **bufp, loff_t * efi_status_t ret; if ((uintptr_t)buf + len <= - (uintptr_t)var->name + old_var_name_length) + (uintptr_t)var->name + old_var_name_length) { + free(buf); return EFI_BUFFER_TOO_SMALL; + } var_name_length = (uintptr_t)buf + len - (uintptr_t)var->name; memcpy(var->name, old_var->name, old_var_name_length); -- cgit v1.3.1 From 41c6b83c777788692640fa0f85a2381d8959f301 Mon Sep 17 00:00:00 2001 From: Vincent Stehlé Date: Tue, 9 Jun 2026 10:07:04 +0200 Subject: lib/efi_loader: fix block io revision MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The Revision field of the EFI_BLOCK_IO_PROTOCOL structure must be set to one of the two valid values [1], but this is not initialized in the efi_loader; fix it. Link: https://uefi.org/specs/UEFI/2.11/13_Protocols_Media_Access.html#efi-block-io-protocol [1] Signed-off-by: Vincent Stehlé Cc: Heinrich Schuchardt Cc: Ilias Apalodimas Cc: Tom Rini Reviewed-by: Heinrich Schuchardt --- lib/efi_loader/efi_disk.c | 1 + 1 file changed, 1 insertion(+) (limited to 'lib/efi_loader') diff --git a/lib/efi_loader/efi_disk.c b/lib/efi_loader/efi_disk.c index f8a57539ec6..4a3ace3a304 100644 --- a/lib/efi_loader/efi_disk.c +++ b/lib/efi_loader/efi_disk.c @@ -305,6 +305,7 @@ static efi_status_t EFIAPI efi_disk_flush_blocks(struct efi_block_io *this) } static const struct efi_block_io block_io_disk_template = { + .revision = EFI_BLOCK_IO_PROTOCOL_REVISION3, .reset = &efi_disk_reset, .read_blocks = &efi_disk_read_blocks, .write_blocks = &efi_disk_write_blocks, -- cgit v1.3.1