* Avoid out-of-bounds access in the efivars code when performing

string matching on converted EFI variable names - Laszlo Ersek -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAABCAAGBQJXGnOlAAoJEC84WcCNIz1VWOQP+gLkw3FGdlQBlPc9XjxWwXWk 2d7x/zo6j+2zObHjN0jS2FNbBkc8LKPbo1WO1tklHjs5wMjpDsd60CLRsPQEzDkU DZ87WYRUcgLgPC8Gtum8ImdpM0fR3vXK79F8PIvL9OxIxgYIDkQAV6XcpETjn9y6 cBfg3agbr1WV3OuFrRs+FBQMSeIVLDybwN2GBQ7fbzplJ3QvQfjjSTT6adwhgie4 1maIUVAR5yZl78EV8wucLMi6dWnKGM2seLYAd5M5Z+EQ0TTLwBZ9Dop4ToxJfchu hVdUBnTXDmaOb8s20D7A7TeZtjMari4Ia2VXBeHR94kQPLttc8TlkwmSykiY2jhq u1p7GF4BO5sxYI6MpG4fYpiHw+jRRKf8mGJ/h8veg2sxW5GzWQf9B+qTiUT64tKL GCqDNUZ7hd5RMQY/igPgGhyZsIpRNhCxbcQgbHszyr+KdSebMVVTFEESjpV6IQIL FoZEMx/fvsLVq2And0NAkmNtlmZpqNW+ejI9QScvpY2Nnp2IIEFj8b73zu+ZfaL2 QUsB3trGqHTsMhKwkgw7+/NLjz1r2W3Pk8VUP3lJWtO8C9c8uNCSeEH3+YMfxDPE pFhDm+bZhZdQkbJpPDckD604hM2cF9bMbFyWD7c6s+Vfd18fygIf3EVJWDiMokTf WINEFvOqvsoDjrlpswO3 =6r98 -----END PGP SIGNATURE----- Merge tag 'efi-urgent' of git://git.kernel.org/pub/scm/linux/kernel/git/mfleming/efi into efi/urgent Pull EFI fix from Matt Fleming: * Avoid out-of-bounds access in the efivars code when performing string matching on converted EFI variable names (Laszlo Ersek) Signed-off-by: Ingo Molnar <mingo@kernel.org>
2016-04-25 17:28:11 +02:00 · 2016-04-25 17:28:11 +02:00 · ede85e90be
parent 02da2d7217 630ba0cc7a
commit ede85e90be
1 changed files with 26 additions and 11 deletions
--- a/drivers/firmware/efi/vars.c
+++ b/drivers/firmware/efi/vars.c
@ -202,29 +202,44 @@ static const struct variable_validate variable_validate[] = {
 	{ NULL_GUID, "", NULL },
 };

+/*
+ * Check if @var_name matches the pattern given in @match_name.
+ *
+ * @var_name: an array of @len non-NUL characters.
+ * @match_name: a NUL-terminated pattern string, optionally ending in "*". A
+ *              final "*" character matches any trailing characters @var_name,
+ *              including the case when there are none left in @var_name.
+ * @match: on output, the number of non-wildcard characters in @match_name
+ *         that @var_name matches, regardless of the return value.
+ * @return: whether @var_name fully matches @match_name.
+ */
 static bool
 variable_matches(const char *var_name, size_t len, const char *match_name,
 		 int *match)
 {
 	for (*match = 0; ; (*match)++) {
 		char c = match_name[*match];
-		char u = var_name[*match];

-		/* Wildcard in the matching name means we've matched */
-		if (c == '*')
+		switch (c) {
+		case '*':
+			/* Wildcard in @match_name means we've matched. */
 			return true;

-		/* Case sensitive match */
-		if (!c && *match == len)
-			return true;
+		case '\0':
+			/* @match_name has ended. Has @var_name too? */
+			return (*match == len);

-		if (c != u)
+		default:
+			/*
+			 * We've reached a non-wildcard char in @match_name.
+			 * Continue only if there's an identical character in
+			 * @var_name.
+			 */
+			if (*match < len && c == var_name[*match])
+				continue;
 			return false;
-
-		if (!c)
-			return true;
 		}
-	return true;
+	}
 }

 bool