[PATCH master 20/39] efi: fix out-of-bounds read in device path unknown node printing
Ahmad Fatoum
a.fatoum at pengutronix.de
Mon Feb 16 00:44:20 PST 2026
dev_path_node_unknown() initializes 'value' to point past the 4-byte
device path header (type + sub_type + length), but uses
Path->length as the loop count. Since Path->length includes the
header, the loop reads 4 bytes beyond the node's data.
Subtract the header size from the loop bound.
Co-Authored-By: Claude Opus 4.6 <noreply at anthropic.com>
Signed-off-by: Ahmad Fatoum <a.fatoum at pengutronix.de>
---
efi/devicepath.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/efi/devicepath.c b/efi/devicepath.c
index 8298073572ae..31a509f99e42 100644
--- a/efi/devicepath.c
+++ b/efi/devicepath.c
@@ -622,7 +622,7 @@ dev_path_node_unknown(struct string *str, const void *dev_path)
break;
}
}
- length = Path->length;
+ length = Path->length - sizeof(struct efi_device_path);
for (index = 0; index < length; index++) {
if (index == 0)
cprintf(str, ",0x");
--
2.47.3
More information about the barebox
mailing list