[PATCH master 24/39] efi: runtime: fix variable store bounds check to account for alignment
Ahmad Fatoum
a.fatoum at pengutronix.de
Mon Feb 16 00:44:24 PST 2026
efi_var_mem_ins() checks whether the new variable fits in the buffer,
but doesn't account for the up-to-7 bytes of ALIGN(..., 8) padding
that is applied when computing the final buffer length. This means a
variable insertion at the boundary of available space can write past
efi_var_buf_rtsize.
Use ALIGN() in the bounds check to match the actual space consumption.
Co-Authored-By: Claude Opus 4.6 <noreply at anthropic.com>
Signed-off-by: Ahmad Fatoum <a.fatoum at pengutronix.de>
---
efi/runtime/efi_var_mem.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/efi/runtime/efi_var_mem.c b/efi/runtime/efi_var_mem.c
index 83b5c53b063b..9752f1ca5fa4 100644
--- a/efi/runtime/efi_var_mem.c
+++ b/efi/runtime/efi_var_mem.c
@@ -192,8 +192,8 @@ efi_status_t __efi_runtime efi_var_mem_ins(
var_name_len = u16_strlen(variable_name) + 1;
data = var->name + var_name_len;
- if ((uintptr_t)data - (uintptr_t)efi_var_buf + size1 + size2 >
- efi_var_buf_rtsize)
+ if (ALIGN((uintptr_t)data + size1 + size2, 8) -
+ (uintptr_t)efi_var_buf > efi_var_buf_rtsize)
return EFI_OUT_OF_RESOURCES;
var->attr = attributes;
--
2.47.3
More information about the barebox
mailing list