Fix stack overflow caused by infinite recursion#303
Conversation
marta-lewandowska
force-pushed
the
fix_stack_overflow
branch
2 times, most recently
from
2815924 to
bc3a31b
Compare
| * need to test it. if it /is/ size, there's no optional data. */ | ||
| sz = ucs2size(opt->description, ret); | ||
| p = (uint8_t *)(opt->description) + sz; | ||
| if (sizeof(p) < 4) |
There was a problem hiding this comment.
This check looks strange. p is a uint8_t pointer, so sizeof(p) is either 4 (for 32bit) or 8 (for 64bit), and sizeof(p) < 4 is always false.
There was a problem hiding this comment.
you're right. that's not much of a fix. could you please take a look at v2? :)
marta-lewandowska
force-pushed
the
fix_stack_overflow
branch
2 times, most recently
from
e729692 to
c6915f6
Compare
lcp
left a comment
lcp
left a comment
There was a problem hiding this comment.
The check is probably too late. If one of the EFI device path node contains 0 Length, it could cause problem in efidp_is_valid() already.
In such case, limit -= hdr->length; in efidp_is_valid() won't decrease limit and the while loop just keeps running and running...
|
I'd suggest to insert a It will avoid the infinite loop I mentioned above and the negative size from |
marta-lewandowska
force-pushed
the
fix_stack_overflow
branch
from
c6915f6 to
a52bb08
Compare
|
@lcp yes you're right of course. thank you for all of the help :) |
| for (sz = 0; sz < opt->file_path_list_length; | ||
| sz += efidp_size((const_efidp)(p + sz))) | ||
| ; | ||
| sz += efidp_size((const_efidp)(p + sz))) |
There was a problem hiding this comment.
The change of indentation is not necessary.
There was a problem hiding this comment.
sorry; not intentional
There was a problem hiding this comment.
Another unnecessary change in src/loadopt.c remains...
marta-lewandowska
force-pushed
the
fix_stack_overflow
branch
from
a52bb08 to
0e7bebc
Compare
If an EFI device path node has 0 length, loop will never terminate. Resolves: bz#2459982 Resolves: CVE-2026-6862 Signed-off-by: Marta Lewandowska <mlewando@redhat.com>
marta-lewandowska
force-pushed
the
fix_stack_overflow
branch
from
0e7bebc to
4e3e1ff
Compare
2 participants
if p < 4 the loop will continue forever because efidp_node_size (called by efidp_size) returns -1 if the length of the args passed to it are < 4. Fixes CVE-2026-6862
Resolves rhbz#2459982
Signed-off-by: Marta Lewandowska mlewando@redhat.com