From 5150a86187657807a3de38c138ca281e6c1a6259 Mon Sep 17 00:00:00 2001 From: Vincent Stehlé Date: Mon, 15 Jun 2026 12:56:15 +0200 Subject: efi_selftest: fix guid comparison MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The `loaded image' efi selftest is comparing protocol GUIDs with the wrong polarity. This can be verified on the sandbox, where two protocols GUIDs are retrieved by the test from the image handle in the following order: 1. Loaded Image Device Path Protocol GUID 2. Loaded Image Protocol GUID The test matches on the first GUID, while it is in fact looking for the second one; fix the comparison polarity. Fixes: efe79a7c0de0 ("efi_selftest: test for loaded image protocol") Signed-off-by: Vincent Stehlé Cc: Heinrich Schuchardt Cc: Ilias Apalodimas Cc: Tom Rini Cc: Alexander Graf Reviewed-by: Heinrich Schuchardt --- lib/efi_selftest/efi_selftest_loaded_image.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'lib') diff --git a/lib/efi_selftest/efi_selftest_loaded_image.c b/lib/efi_selftest/efi_selftest_loaded_image.c index 5889ab12617..e0668f60ebd 100644 --- a/lib/efi_selftest/efi_selftest_loaded_image.c +++ b/lib/efi_selftest/efi_selftest_loaded_image.c @@ -60,8 +60,8 @@ static int execute(void) efi_st_printf("%u protocols installed on image handle\n", (unsigned int)protocol_buffer_count); for (i = 0; i < protocol_buffer_count; ++i) { - if (memcmp(protocol_buffer[i], &loaded_image_protocol_guid, - sizeof(efi_guid_t))) + if (!memcmp(protocol_buffer[i], &loaded_image_protocol_guid, + sizeof(efi_guid_t))) found = true; } if (!found) { -- cgit v1.3.1 From 1f5c8eac2f299bd3a2fc748b068acbb4b90d592d Mon Sep 17 00:00:00 2001 From: Ilias Apalodimas Date: Fri, 19 Jun 2026 11:38:29 +0300 Subject: efi_loader: fix memory leak in efi_var_collect Barebox has now ported some of the UEFI code. In the process they found some bugs. In this case when the variable buffer is too small, efi_var_collect() returns EFI_BUFFER_TOO_SMALL but doesn't free the allocated 'buf'. Fixes: 5f7dcf079de8c ("efi_loader: UEFI variable persistence") Signed-off-by: Ilias Apalodimas Reviewed-by: Heinrich Schuchardt --- lib/efi_loader/efi_var_common.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/efi_loader/efi_var_common.c b/lib/efi_loader/efi_var_common.c index d63c2d1b1cd..e51b21fe0b0 100644 --- a/lib/efi_loader/efi_var_common.c +++ b/lib/efi_loader/efi_var_common.c @@ -446,8 +446,10 @@ efi_status_t __maybe_unused efi_var_collect(struct efi_var_file **bufp, loff_t * efi_status_t ret; if ((uintptr_t)buf + len <= - (uintptr_t)var->name + old_var_name_length) + (uintptr_t)var->name + old_var_name_length) { + free(buf); return EFI_BUFFER_TOO_SMALL; + } var_name_length = (uintptr_t)buf + len - (uintptr_t)var->name; memcpy(var->name, old_var->name, old_var_name_length); -- cgit v1.3.1 From 41c6b83c777788692640fa0f85a2381d8959f301 Mon Sep 17 00:00:00 2001 From: Vincent Stehlé Date: Tue, 9 Jun 2026 10:07:04 +0200 Subject: lib/efi_loader: fix block io revision MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The Revision field of the EFI_BLOCK_IO_PROTOCOL structure must be set to one of the two valid values [1], but this is not initialized in the efi_loader; fix it. Link: https://uefi.org/specs/UEFI/2.11/13_Protocols_Media_Access.html#efi-block-io-protocol [1] Signed-off-by: Vincent Stehlé Cc: Heinrich Schuchardt Cc: Ilias Apalodimas Cc: Tom Rini Reviewed-by: Heinrich Schuchardt --- lib/efi_loader/efi_disk.c | 1 + 1 file changed, 1 insertion(+) (limited to 'lib') diff --git a/lib/efi_loader/efi_disk.c b/lib/efi_loader/efi_disk.c index f8a57539ec6..4a3ace3a304 100644 --- a/lib/efi_loader/efi_disk.c +++ b/lib/efi_loader/efi_disk.c @@ -305,6 +305,7 @@ static efi_status_t EFIAPI efi_disk_flush_blocks(struct efi_block_io *this) } static const struct efi_block_io block_io_disk_template = { + .revision = EFI_BLOCK_IO_PROTOCOL_REVISION3, .reset = &efi_disk_reset, .read_blocks = &efi_disk_read_blocks, .write_blocks = &efi_disk_write_blocks, -- cgit v1.3.1 From 60ff3d950996c2ea0bb744fd9c922a96abc65774 Mon Sep 17 00:00:00 2001 From: Vincent Stehlé Date: Thu, 11 Jun 2026 08:59:50 +0200 Subject: efi_selftest: fix use-after-free MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When the `memory' efi selftest verifies the Devicetree memory reservation, it accesses the memory_map buffer after it has been freed with free_pool(). Move the verification earlier to fix this. Fixes: 34c96659ed57 ("efi_selftest: check fdt is marked as runtime data") Signed-off-by: Vincent Stehlé Cc: Heinrich Schuchardt Cc: Ilias Apalodimas Cc: Tom Rini Reviewed-by: Ilias Apalodimas Reviewed-by: Heinrich Schuchardt --- lib/efi_selftest/efi_selftest_memory.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) (limited to 'lib') diff --git a/lib/efi_selftest/efi_selftest_memory.c b/lib/efi_selftest/efi_selftest_memory.c index 7320964c129..450470ceedd 100644 --- a/lib/efi_selftest/efi_selftest_memory.c +++ b/lib/efi_selftest/efi_selftest_memory.c @@ -155,6 +155,15 @@ static int execute(void) EFI_RUNTIME_SERVICES_DATA) != EFI_ST_SUCCESS) return EFI_ST_FAILURE; + /* Check memory reservation for the device tree */ + if (fdt_addr && + find_in_memory_map(map_size, memory_map, desc_size, fdt_addr, + EFI_ACPI_RECLAIM_MEMORY) != EFI_ST_SUCCESS) { + efi_st_error + ("Device tree not marked as ACPI reclaim memory\n"); + return EFI_ST_FAILURE; + } + /* Free memory */ ret = boottime->free_pages(p1, EFI_ST_NUM_PAGES); if (ret != EFI_SUCCESS) { @@ -172,14 +181,6 @@ static int execute(void) return EFI_ST_FAILURE; } - /* Check memory reservation for the device tree */ - if (fdt_addr && - find_in_memory_map(map_size, memory_map, desc_size, fdt_addr, - EFI_ACPI_RECLAIM_MEMORY) != EFI_ST_SUCCESS) { - efi_st_error - ("Device tree not marked as ACPI reclaim memory\n"); - return EFI_ST_FAILURE; - } return EFI_ST_SUCCESS; } -- cgit v1.3.1