efi_loader: Avoid underflow when calculating remaining var store size

The efi_var_mem_free() function calculates the available size for a new
EFI variable by subtracting the occupied buffer size and the overhead
for a new variable from the maximum buffer size set in Kconfig. This
is then returned as QueryVariableInfo()'s RemainingVariableStorageSize
output.

This can underflow as the calculation is done in and processed as
unsigned integer types. Check for underflow before doing the subtraction
and return zero if there's no space.

Fixes: f1f990a8c958 ("efi_loader: memory buffer for variables")
Signed-off-by: Alper Nebi Yasak <alpernebiyasak@gmail.com>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>

diff --git a/lib/efi_loader/efi_var_mem.c b/lib/efi_loader/efi_var_mem.c
index d6b65aed12ea1001a1fe0840fa75978a0acac859..5fa7dcb8d3edf6c73a5d9d9973f396068831138c 100644 (file)
--- a/lib/efi_loader/efi_var_mem.c
+++ b/lib/efi_loader/efi_var_mem.c
@@ -177,6 +177,10 @@ efi_status_t __efi_runtime efi_var_mem_ins(
 
 u64 __efi_runtime efi_var_mem_free(void)
 {
+       if (efi_var_buf->length + sizeof(struct efi_var_entry) >=
+           EFI_VAR_BUF_SIZE)
+               return 0;
+
        return EFI_VAR_BUF_SIZE - efi_var_buf->length -
               sizeof(struct efi_var_entry);
 }