pcrlock: reject device path node shorter than its header

event_log_record_extract_firmware_description() walks the device path of a UEFI_IMAGE_LOAD_EVENT taken from the firmware TPM2 measurement log. The per-node loop checks the remaining bytes against the node and its declared length, but never that dp->length covers the 4-byte node header offsetof(packed_EFI_DEVICE_PATH, path). For a Media/File-Path node with length 3, the file-name extraction computes dp->length - offsetof(packed_EFI_DEVICE_PATH, path) == 3 - 4, which wraps to SIZE_MAX. utf16_to_utf8() treats SIZE_MAX as unbounded and runs char16_strlen() over dp->path, reading past the log buffer; a length of 0 also leaves dp non-advancing. efi_get_boot_option() in src/shared/efi-api.c already rejects such nodes with "if (dpath->length < 4) break;"; do the same here.
2026-06-30 19:57:29 +00:00 · 2026-06-25 22:16:03 +05:30
parent 2da8cd09c2
commit d2a704388f
1 changed files with 3 additions and 1 deletions
--- a/src/pcrlock/pcrlock.c
+++ b/src/pcrlock/pcrlock.c
@@ -837,7 +837,9 @@ static int event_log_record_extract_firmware_description(EventLogRecord *rec) {
                                goto invalid;
                        }

-                        if (left < offsetof(packed_EFI_DEVICE_PATH, path) || left < dp->length) {
+                        if (left < offsetof(packed_EFI_DEVICE_PATH, path) ||
+                            dp->length < offsetof(packed_EFI_DEVICE_PATH, path) ||
+                            left < dp->length) {
                                log_warning("Device path element too short, ignoring.");
                                goto invalid;
                        }