efi_loader: Avoid underflow when calculating remaining var store size

The efi_var_mem_free() function calculates the available size for a new EFI variable by subtracting the occupied buffer size and the overhead for a new variable from the maximum buffer size set in Kconfig. This is then returned as QueryVariableInfo()'s RemainingVariableStorageSize output. This can underflow as the calculation is done in and processed as unsigned integer types. Check for underflow before doing the subtraction and return zero if there's no space. Fixes: f1f990a8c958 ("efi_loader: memory buffer for variables") Signed-off-by: Alper Nebi Yasak <alpernebiyasak@gmail.com> Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
author: Alper Nebi Yasak 2023-07-08 18:23:05 +0300
committer: Heinrich Schuchardt 2023-07-09 03:53:08 +0200
commit: d7fe913f23b1907ac6ccb1552151fbcaa89bcdb0 (patch)
tree: bddc40eaef7b6c74c5010e4c5632864d69ef60f1 /lib
parent: 0ef6343439c62eb4e18c6ce0e1a3739d0e7f1e2e (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/lib/efi_loader/efi_var_mem.c b/lib/efi_loader/efi_var_mem.c
index d6b65aed12e..5fa7dcb8d3e 100644
--- a/lib/efi_loader/efi_var_mem.c
+++ b/lib/efi_loader/efi_var_mem.c
@@ -177,6 +177,10 @@ efi_status_t __efi_runtime efi_var_mem_ins(
 
 u64 __efi_runtime efi_var_mem_free(void)
 {
+	if (efi_var_buf->length + sizeof(struct efi_var_entry) >=
+	    EFI_VAR_BUF_SIZE)
+		return 0;
+
 	return EFI_VAR_BUF_SIZE - efi_var_buf->length -
 	       sizeof(struct efi_var_entry);
 }
author	Alper Nebi Yasak	2023-07-08 18:23:05 +0300
committer	Heinrich Schuchardt	2023-07-09 03:53:08 +0200
commit	d7fe913f23b1907ac6ccb1552151fbcaa89bcdb0 (patch)
tree	bddc40eaef7b6c74c5010e4c5632864d69ef60f1 /lib
parent	0ef6343439c62eb4e18c6ce0e1a3739d0e7f1e2e (diff)