efi_loader: device_path: check against file path length

device_path strcuture has 2 bytes of "length" field, and so file path length should not exceed this limit, 65535. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2019-10-09 16:19:52 +09:00 · 2019-10-09 16:19:52 +09:00 · 08c51fff30
parent c83b1bb923
commit 08c51fff30
1 changed files with 9 additions and 2 deletions
--- a/lib/efi_loader/efi_device_path.c
+++ b/lib/efi_loader/efi_device_path.c
@ -15,6 +15,7 @@
 #include <part.h>
 #include <sandboxblockdev.h>
 #include <asm-generic/unaligned.h>
+#include <linux/compat.h> /* U16_MAX */

 #ifdef CONFIG_SANDBOX
 const efi_guid_t efi_guid_host_dev = U_BOOT_HOST_DEV_GUID;
@ -888,13 +889,16 @@ struct efi_device_path *efi_dp_from_file(struct blk_desc *desc, int part,
 {
 	struct efi_device_path_file_path *fp;
 	void *buf, *start;
-	unsigned dpsize = 0, fpsize;
+	size_t dpsize = 0, fpsize;

 	if (desc)
 		dpsize = dp_part_size(desc, part);

 	fpsize = sizeof(struct efi_device_path) +
 		 2 * (utf8_utf16_strlen(path) + 1);
+	if (fpsize > U16_MAX)
+		return NULL;
+
 	dpsize += fpsize;

 	start = buf = dp_alloc(dpsize + sizeof(END));
@ -908,7 +912,7 @@ struct efi_device_path *efi_dp_from_file(struct blk_desc *desc, int part,
 	fp = buf;
 	fp->dp.type = DEVICE_PATH_TYPE_MEDIA_DEVICE;
 	fp->dp.sub_type = DEVICE_PATH_SUB_TYPE_FILE_PATH;
-	fp->dp.length = fpsize;
+	fp->dp.length = (u16)fpsize;
 	path_to_uefi(fp->str, path);
 	buf += fpsize;

@ -1070,5 +1074,8 @@ efi_status_t efi_dp_from_name(const char *dev, const char *devnr,
 	*file = efi_dp_from_file(((!is_net && device) ? desc : NULL),
 				 part, filename);

+	if (!file)
+		return EFI_INVALID_PARAMETER;
+
 	return EFI_SUCCESS;
 }