:: commit 9e8d1cee14973282f5d8b67446dbe9298231ab5e
mm/pmm: Check for overflow in UEFI memmap AllocatePool size
diff --git a/common/lib/misc.c b/common/lib/misc.c
index bbe62399..58c2bd3d 100644
--- a/common/lib/misc.c
+++ b/common/lib/misc.c
@@ -266,7 +266,7 @@ bool efi_exit_boot_services(void) {
}
EFI_MEMORY_DESCRIPTOR *efi_copy;
- status = gBS->AllocatePool(EfiLoaderData, efi_mmap_size * 2, (void **)&efi_copy);
+ status = gBS->AllocatePool(EfiLoaderData, CHECKED_MUL(efi_mmap_size, (UINTN)2, goto fail), (void **)&efi_copy);
if (status) {
goto fail;
}
diff --git a/common/mm/pmm.s2.c b/common/mm/pmm.s2.c
index 1a86b3a4..da7c025c 100644
--- a/common/mm/pmm.s2.c
+++ b/common/mm/pmm.s2.c
@@ -328,13 +328,15 @@ void init_memmap(void) {
goto fail;
}
- status = gBS->AllocatePool(EfiLoaderData, memmap_max_entries * sizeof(struct memmap_entry), (void **)&memmap);
+ size_t memmap_alloc_size = CHECKED_MUL(memmap_max_entries, sizeof(struct memmap_entry), goto fail);
+
+ status = gBS->AllocatePool(EfiLoaderData, memmap_alloc_size, (void **)&memmap);
if (status) {
gBS->FreePool(efi_mmap);
goto fail;
}
- status = gBS->AllocatePool(EfiLoaderData, memmap_max_entries * sizeof(struct memmap_entry), (void **)&untouched_memmap);
+ status = gBS->AllocatePool(EfiLoaderData, memmap_alloc_size, (void **)&untouched_memmap);
if (status) {
gBS->FreePool(efi_mmap);
gBS->FreePool(memmap);
diff --git a/common/protos/chainload.c b/common/protos/chainload.c
index e23cfee5..29de9c24 100644
--- a/common/protos/chainload.c
+++ b/common/protos/chainload.c
@@ -297,7 +297,7 @@ noreturn void chainload(char *config, char *cmdline) {
size_t cmdline_len = strlen(cmdline);
CHAR16 *new_cmdline;
- status = gBS->AllocatePool(EfiLoaderData, (cmdline_len + 1) * sizeof(CHAR16), (void **)&new_cmdline);
+ status = gBS->AllocatePool(EfiLoaderData, CHECKED_MUL(cmdline_len + 1, sizeof(CHAR16), panic(true, "efi: Allocation size overflow")), (void **)&new_cmdline);
if (status) {
panic(true, "efi: Allocation failure");
}
