Hi Heinirch,
On Tue, 30 Jun 2026 at 02:35, Heinrich Schuchardt <[email protected]> wrote: > > In efi_sigstore_parse_siglist() sigdata is allocated. But instead of an > allocation matching the size of sigdata, tainted external data was used > to calculate the allocation size. This may lead to buffer overflows. > > * Correct the allocation size. > * Follow the man-page. Use the structure size as second argument for > calloc. I think the fix is correct, but the commit message might be misleading. Looking at the values sizeof(*sig_data) is 40b, but the esl->signature_size - sizeof(esd->signature_owner)) is way bigger and depends on the actual signature size. So I dont think something bad really happens apart from wasting a few bytes of memory. The actual point of the signature size is correctly allocated a few lines below. > > Signed-off-by: Heinrich Schuchardt <[email protected]> With the commit message updated Reviewed-by: Ilias Apalodimas <[email protected]> > --- > v2: > no change > --- > lib/efi_loader/efi_signature.c | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > > diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c > index 93a4f257016..6aff5c14a89 100644 > --- a/lib/efi_loader/efi_signature.c > +++ b/lib/efi_loader/efi_signature.c > @@ -703,8 +703,7 @@ efi_sigstore_parse_siglist(struct efi_signature_list *esl) > goto err; > } > > - sig_data = calloc(esl->signature_size > - - sizeof(esd->signature_owner), 1); > + sig_data = calloc(1, sizeof(*sig_data)); > if (!sig_data) { > EFI_PRINT("Out of memory\n"); > goto err; > -- > 2.53.0 >

