The HII IFR structures are allocated via realloc() rather than zalloc(), and so are not automatically zeroed. This results in the presence of uninitialised and invalid data, causing crashes elsewhere in the UEFI firmware. Fix by explicitly zeroing the newly allocated portion of any IFR structure in efi_ifr_op(). Debugged-by: Laszlo Ersek <lersek@redhat.com> Debugged-by: Gary Lin <glin@suse.com> Signed-off-by: Michael Brown <mcb30@ipxe.org>

il y a 8 ans · c9f6a86059
--- a/src/interface/efi/efi_hii.c
+++ b/src/interface/efi/efi_hii.c
@@ -117,6 +117,7 @@ static void * efi_ifr_op ( struct efi_ifr_builder *ifr, unsigned int opcode,
 
				
				 	ifr->ops_len = new_ops_len;
			
 
				
				 
			
 
				
				 	/* Fill in opcode header */
			
 
				
				+	memset ( op, 0, len );
			
 
				
				 	op->OpCode = opcode;
			
 
				
				 	op->Length = len;