In efi_sigstore_parse_siglist() sigdata is allocated. But instead of an
allocation matching the size of sigdata, tainted external data was used
to calculate the allocation size. This may lead to buffer overflows.

* Correct the allocation size.
* Follow the man-page. Use the structure size as second argument for
  calloc.

Signed-off-by: Heinrich Schuchardt <[email protected]>
---
 lib/efi_loader/efi_signature.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c
index 93a4f257016..6aff5c14a89 100644
--- a/lib/efi_loader/efi_signature.c
+++ b/lib/efi_loader/efi_signature.c
@@ -703,8 +703,7 @@ efi_sigstore_parse_siglist(struct efi_signature_list *esl)
                        goto err;
                }
 
-               sig_data = calloc(esl->signature_size
-                                       - sizeof(esd->signature_owner), 1);
+               sig_data = calloc(1, sizeof(*sig_data));
                if (!sig_data) {
                        EFI_PRINT("Out of memory\n");
                        goto err;
-- 
2.53.0

Reply via email to