pcrlock: reject device path node shorter than its header

event_log_record_extract_firmware_description() walks the device path
of a UEFI_IMAGE_LOAD_EVENT taken from the firmware TPM2 measurement log.
The per-node loop checks the remaining bytes against the node and its
declared length, but never that dp->length covers the 4-byte node header
offsetof(packed_EFI_DEVICE_PATH, path).

For a Media/File-Path node with length 3, the file-name extraction
computes dp->length - offsetof(packed_EFI_DEVICE_PATH, path) == 3 - 4,
which wraps to SIZE_MAX. utf16_to_utf8() treats SIZE_MAX as unbounded
and runs char16_strlen() over dp->path, reading past the log buffer; a
length of 0 also leaves dp non-advancing.

efi_get_boot_option() in src/shared/efi-api.c already rejects such nodes
with "if (dpath->length < 4) break;"; do the same here.
This commit is contained in:
Syed Mohammed Nayyar
2026-06-25 22:16:03 +05:30
committed by Lennart Poettering
parent 2da8cd09c2
commit d2a704388f

View File

@@ -837,7 +837,9 @@ static int event_log_record_extract_firmware_description(EventLogRecord *rec) {
goto invalid;
}
if (left < offsetof(packed_EFI_DEVICE_PATH, path) || left < dp->length) {
if (left < offsetof(packed_EFI_DEVICE_PATH, path) ||
dp->length < offsetof(packed_EFI_DEVICE_PATH, path) ||
left < dp->length) {
log_warning("Device path element too short, ignoring.");
goto invalid;
}