qemu/ipxe-efi-fix-uninitialised-data-in-HII.patch

From c9f6a8605955926017cdbe2fa99a4b72fd0985a2 Mon Sep 17 00:00:00 2001
From: Michael Brown <mcb30@ipxe.org>
Date: Wed, 29 Jun 2016 15:13:35 +0100
Subject: [PATCH] [efi] Fix uninitialised data in HII IFR structures

The HII IFR structures are allocated via realloc() rather than
zalloc(), and so are not automatically zeroed.  This results in the
presence of uninitialised and invalid data, causing crashes elsewhere
in the UEFI firmware.

Fix by explicitly zeroing the newly allocated portion of any IFR
structure in efi_ifr_op().

Debugged-by: Laszlo Ersek <lersek@redhat.com>
Debugged-by: Gary Lin <glin@suse.com>
Signed-off-by: Michael Brown <mcb30@ipxe.org>
---
 src/interface/efi/efi_hii.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/interface/efi/efi_hii.c b/src/interface/efi/efi_hii.c
index 0ea970e..506fc88 100644
--- a/src/interface/efi/efi_hii.c
+++ b/src/interface/efi/efi_hii.c
@@ -117,6 +117,7 @@ static void * efi_ifr_op ( struct efi_ifr_builder *ifr, unsigned int opcode,
 	ifr->ops_len = new_ops_len;
 
 	/* Fill in opcode header */
+	memset ( op, 0, len );
 	op->OpCode = opcode;
 	op->Length = len;
 
-- 
2.8.4
Accepting request 406664 from home:gary_lin:branches:Virtualization - Fix OVMF iPXE network menu (bsc#986033, boo#987488) ipxe-efi-fix-garbage-bytes-in-device-path.patch ipxe-efi-fix-uninitialised-data-in-HII.patch OBS-URL: https://build.opensuse.org/request/show/406664 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=302 2016-07-05 17:38:07 +02:00			`From c9f6a8605955926017cdbe2fa99a4b72fd0985a2 Mon Sep 17 00:00:00 2001`
			`From: Michael Brown <mcb30@ipxe.org>`
			`Date: Wed, 29 Jun 2016 15:13:35 +0100`
			`Subject: [PATCH] [efi] Fix uninitialised data in HII IFR structures`

			`The HII IFR structures are allocated via realloc() rather than`
			`zalloc(), and so are not automatically zeroed. This results in the`
			`presence of uninitialised and invalid data, causing crashes elsewhere`
			`in the UEFI firmware.`

			`Fix by explicitly zeroing the newly allocated portion of any IFR`
			`structure in efi_ifr_op().`

			`Debugged-by: Laszlo Ersek <lersek@redhat.com>`
			`Debugged-by: Gary Lin <glin@suse.com>`
			`Signed-off-by: Michael Brown <mcb30@ipxe.org>`
			`---`
			`src/interface/efi/efi_hii.c \| 1 +`
			`1 file changed, 1 insertion(+)`

			`diff --git a/src/interface/efi/efi_hii.c b/src/interface/efi/efi_hii.c`
			`index 0ea970e..506fc88 100644`
			`--- a/src/interface/efi/efi_hii.c`
			`+++ b/src/interface/efi/efi_hii.c`
			`@@ -117,6 +117,7 @@ static void * efi_ifr_op ( struct efi_ifr_builder *ifr, unsigned int opcode,`
			`ifr->ops_len = new_ops_len;`

			`/* Fill in opcode header */`
			`+ memset ( op, 0, len );`
			`op->OpCode = opcode;`
			`op->Length = len;`

			`--`
			`2.8.4`