From ac610fe45491deccaab2c4ee689cbbdac117930a Mon Sep 17 00:00:00 2001
From: Javier Martinez Canillas <javierm@redhat.com>
Date: Tue, 8 Sep 2020 12:26:45 +0200
Subject: [PATCH] Fix buffer overrun due DEFAULT_LOADER length miscalculation
The DEFAULT_LOADER is a UCS-2 string and the StrLen() function returns the
number of UCS-2 encoded characters in the string. But the allocated memory
is in bytes, so only half of the needed memory to store it is allocated.
This leads to a buffer overrun when the StrCpy() function attempts to copy
the DEFAULT_LOADER to the allocated buffer.
Fixes: 354bd9b1931 ("Actually check for errors from set_second_stage()")
Reported-by: Stuart Hayes <stuart_hayes@dell.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
---
shim.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/shim.c b/shim.c
index 34dce25c330..82913c934f6 100644
--- a/shim.c
+++ b/shim.c
@@ -2096,8 +2096,9 @@ EFI_STATUS set_second_stage (EFI_HANDLE image_handle)
unsigned int i;
UINTN second_stage_len;
- second_stage_len = StrLen(DEFAULT_LOADER) + 1;
+ second_stage_len = (StrLen(DEFAULT_LOADER) + 1) * sizeof(CHAR16);
second_stage = AllocatePool(second_stage_len);
+
if (!second_stage) {
perror(L"Could not allocate %lu bytes\n", second_stage_len);
return EFI_OUT_OF_RESOURCES;
--
2.28.0