In efi_sigstore_parse_siglist() sigdata is allocated. But instead of an allocation matching the size of sigdata, tainted external data was used to calculate the allocation size. This may lead to buffer overflows.
* Correct the allocation size. * Follow the man-page. Use the structure size as second argument for calloc. Signed-off-by: Heinrich Schuchardt <[email protected]> --- lib/efi_loader/efi_signature.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c index 93a4f257016..6aff5c14a89 100644 --- a/lib/efi_loader/efi_signature.c +++ b/lib/efi_loader/efi_signature.c @@ -703,8 +703,7 @@ efi_sigstore_parse_siglist(struct efi_signature_list *esl) goto err; } - sig_data = calloc(esl->signature_size - - sizeof(esd->signature_owner), 1); + sig_data = calloc(1, sizeof(*sig_data)); if (!sig_data) { EFI_PRINT("Out of memory\n"); goto err; -- 2.53.0

