[PATCH master 27/39] efi: loader: fix NULL pointer dereference when deleting root volume handle
Ahmad Fatoum
a.fatoum at pengutronix.de
Mon Feb 16 00:44:27 PST 2026
efi_file_delete() unconditionally dereferences fh->parent->fd, but the
root volume handle created by efi_open_volume() has fh->parent = NULL.
If a UEFI application calls Delete() on the root handle, this crashes.
Check for a NULL parent and return EFI_WARN_DELETE_FAILURE, as the root
volume cannot be deleted.
Co-Authored-By: Claude Opus 4.6 <noreply at anthropic.com>
Signed-off-by: Ahmad Fatoum <a.fatoum at pengutronix.de>
---
efi/loader/protocols/file.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/efi/loader/protocols/file.c b/efi/loader/protocols/file.c
index 93700d2d3bdc..0796b3f0c26a 100644
--- a/efi/loader/protocols/file.c
+++ b/efi/loader/protocols/file.c
@@ -285,6 +285,11 @@ static efi_status_t EFIAPI efi_file_delete(struct efi_file_handle *file)
file_close(fh);
+ if (!fh->parent) {
+ free(fh);
+ return EFI_EXIT(EFI_WARN_DELETE_FAILURE);
+ }
+
ret = unlinkat(fh->parent->fd, fh->path, flags);
free(fh);
--
2.47.3
More information about the barebox
mailing list