From nobody Sun Jun 14 12:44:32 2026 Received: from mail-dy1-f170.google.com (mail-dy1-f170.google.com [74.125.82.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1E8F229D26E for ; Thu, 2 Apr 2026 23:32:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.170 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775172777; cv=none; b=Q+ZyFLpecko27bOJpV95Ew4dPX45krc4K7libQ/hH1EX1c+yR+nWBxgoim8Is1JZkPXy27AzNU8R+IgGl3oAVuAmRfjfyfwOM326LHk/dOaXw0a/lLKwvzxgnyBeYW36KkKTJAq3PuGQppkWQYDJjikiqU7w1j+3jW4w6Fenb4c= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775172777; c=relaxed/simple; bh=OL7sHabHUH+UldZW4qYicdqx1/x8Ffto+2T6W2FcUis=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:To:Cc; b=c6BQ8PLM9aeUYeiDxgnErGGyebXTTnsUUJOPWmTs1zlDA8qNv6Q+pOFs7K+Xt98N2RMxxD/yZQRCRIDFM6DR1TobURtYGVmVVlJ/yjNNcNfB+idVNbZvjSR4OfEoa+qp3swTh4DBnMi/GUUgljaogsjWP9SfG65fFkYFCdXwdW0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=code406.com; spf=pass smtp.mailfrom=code406.com; dkim=pass (1024-bit key) header.d=code406.com header.i=@code406.com header.b=PjPOJUmI; arc=none smtp.client-ip=74.125.82.170 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=code406.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=code406.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=code406.com header.i=@code406.com header.b="PjPOJUmI" Received: by mail-dy1-f170.google.com with SMTP id 5a478bee46e88-2ca4ff720ccso1250911eec.0 for ; Thu, 02 Apr 2026 16:32:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=code406.com; s=google; t=1775172774; x=1775777574; darn=vger.kernel.org; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:from:to:cc:subject:date:message-id:reply-to; bh=14mjM17dnkk7bqpw6z54HeZWcbwObnKUUNrE+nPcJQc=; b=PjPOJUmIKdP0fSm/sLJZSC1EkfCWo/5oUQzBSHakhRjYYUMulLfkbigVTh7Qi9NfHH 8YKI1h1wgPdjdYhhIg8+cMITUHL/hmaR9y0mbfJ+YPY35XerhfSp8JYZ2w4iegDdsL4A 4QDIsvoZTaDY2u/vk/3rgvdUyn7vFnlrV8Smc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775172774; x=1775777574; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=14mjM17dnkk7bqpw6z54HeZWcbwObnKUUNrE+nPcJQc=; b=Iy1zkMXP/maswJ1N/3nbAvhdtc8RRWqJQDwExodLb5P6pcG4DpNkDK9ij322/Pz/vo VdCvmLgWp4Mjo5pAsrs0J5awZAl/ok4MC5JVredtw/EMm62bZcy0wHKKIu/w4en3PUJh MFwi8XSSFFxba8H96kFn/W8JBlXuwexKibrsCqqkFK52hCSV73zJFmJ/c8vlMCs37+mA WczU23aS3IdP3ynVzWXvX2pif0N/7PT3/ggOvfrbV84rMbl7EjP40nlZi+DYntnWv8PF CpsB3c5Tia43L5l3W6XFTCImvicpFwvOKvuAx4J7SwLTWfdzi/fyrpdDNnHhnHBBmtCl Scjg== X-Forwarded-Encrypted: i=1; AJvYcCU1LxY2PzDbBa29QL7fxo59Eaua4tjs6bSIYGv7J6iZvZEShlESXqz8U04hZagryiJEcqDqVLMPVUxwHYw=@vger.kernel.org X-Gm-Message-State: AOJu0YzH4y5mfa18CLEMGk5wHygjl6FyrQIDPnYz40o1lBP3GFuqsprq UW1tiVHUQS59Iflefq4CL5BMptdjfsV7QCfH/Md71ny2cFvg7XPFLLlUb7ywo3Q0NLQu/3ey1dU Ymmcu7Q== X-Gm-Gg: AeBDiestxIceJUSnvWCogWP1i6UMvEDA6hiUctsRbQb3zaP1KOQmV4JG1UFhRIy+Io7 aVSTX6dVZ1UVCMZmU3f8Skq6FcjDJwpax8vPsXL/1GkgHy3NN+dlPpt5BTrT8AmjnlYe9MQY9yS qNs5GCFqgOLmoaTdsAB5EIoDtT7YyG5HlYJofSNZY2BGXBAcKTzBNWNXAKRY7ALc59csvhH8Uxf JSB+oB6l2FEHTtGrHmNtstsNrIOydgfKVEgxWT+vavYekXi5iBoBb8aXSQvM66LA0NYybr2YaKW NPrqsSkQCNriyFccMW0Ygi71eHUCeMC5hTm/iia7J3aONdRH2v0InzTEZKgwVoWPgCGJ6oAAY+F nG9CTgHIsEuy0jGJDaFsnG1L3FZ+5Xi42oJ4kFzp+rZqSB080byE+3ky+nTzs+o+7DHRBLlOYL8 rUIDo5cNgpeFPjy3iuFE/4Zpe5p6J4NpZGAwwheazI3cPEi6R9wQEhDaeDusUtK/tXcqKy5u3uC vdL4GdPVodgydCONoNip67eR2946RHr5ZQuznd26nl8 X-Received: by 2002:a05:7301:1288:b0:2be:ca4:e114 with SMTP id 5a478bee46e88-2cbfb1a769fmr458858eec.9.1775172774172; Thu, 02 Apr 2026 16:32:54 -0700 (PDT) Received: from localhost ([2601:645:8a00:6e44:c6ab:7340:c926:8c92]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2ca7d00f5easm3445408eec.29.2026.04.02.16.32.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 02 Apr 2026 16:32:53 -0700 (PDT) From: Josh Snyder Date: Thu, 02 Apr 2026 16:32:49 -0700 Subject: [PATCH] platform/x86: hp-bioscfg: fix heap buffer overflow in security buffer Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260402-hp-bioscfg-overflow-v1-1-6985f8c9e67c@code406.com> X-B4-Tracking: v=1; b=H4sIAKD8zmkC/yXMQQrCMBBG4auUWTsQo5HiVcSFSf60U6QpGa1C6 d1N6/JbvLeQogiUrs1CBbOo5LHieGgo9I+xA0usJmvsxZyN5X5iL1lD6jjPKOmZPxxdGz3cCSE 5quVUkOS7X2/3v/XtB4TXtqJ1/QEdWv7sdwAAAA== X-Change-ID: 20260402-hp-bioscfg-overflow-d58dbe53ecf5 To: Jorge Lopez , Hans de Goede , =?utf-8?q?Ilpo_J=C3=A4rvinen?= Cc: platform-driver-x86@vger.kernel.org, linux-kernel@vger.kernel.org, Josh Snyder X-Mailer: b4 0.15.1 X-Developer-Signature: v=1; a=ed25519-sha256; t=1775172772; l=2020; i=josh@code406.com; s=20260402; h=from:subject:message-id; bh=OL7sHabHUH+UldZW4qYicdqx1/x8Ffto+2T6W2FcUis=; b=yMpFx4LRuOJ8pzSZgNPonquxEv8HESKJ5qi/uvO+6GYygwZ/bqNTdb56pwY9hDemLdKlesh9W rgGEe4HHwTmCSPNLNEzC9C7OgCMpdVLoGvwXwlIYxW1CazKWMHtaC/w X-Developer-Key: i=josh@code406.com; a=ed25519; pk=J60jemVD5rPt9HnGvw/AAQ6RPciMTW8aAgWykCCnCXg= hp_calculate_security_buffer() returns sizeof(u16) * 2 (4 bytes) for empty strings via an early return. However, hp_populate_security_buffer() always prepends UTF_PREFIX ("") to non-BEAM authentication strings, including empty ones, before converting to UTF-16. This results in 20 bytes being written into a 4-byte region of the heap buffer allocated in hp_set_attribute(). The 16-byte overrun corrupts adjacent heap memory. In practice, the firmware's own bounds checking rejects the undersized buffer before acting on it (returning error 0x04), which masked the overflow. Fix by removing the early return for empty strings. The calculation at the end of the function already accounts for UTF_PREFIX correctly when authlen is zero: sizeof(u16) + 0 + strlen("") * sizeof(u16) =3D 20 bytes, matching what hp_populate_security_buffer() writes. The NULL check is preserved since hp_populate_security_buffer() would dereference NULL via strstarts(). Fixes: b2715aa2e1352 ("platform/x86: hp-bioscfg: spmobj-attributes") Assisted-by: Claude:claude-opus-4-6 Signed-off-by: Josh Snyder --- drivers/platform/x86/hp/hp-bioscfg/spmobj-attributes.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/drivers/platform/x86/hp/hp-bioscfg/spmobj-attributes.c b/drive= rs/platform/x86/hp/hp-bioscfg/spmobj-attributes.c index 2b00a14792e92..93e0a077e4240 100644 --- a/drivers/platform/x86/hp/hp-bioscfg/spmobj-attributes.c +++ b/drivers/platform/x86/hp/hp-bioscfg/spmobj-attributes.c @@ -47,9 +47,6 @@ size_t hp_calculate_security_buffer(const char *authentic= ation) return sizeof(u16) * 2; =20 authlen =3D strlen(authentication); - if (!authlen) - return sizeof(u16) * 2; - size =3D sizeof(u16) + authlen * sizeof(u16); if (!strstarts(authentication, BEAM_PREFIX)) size +=3D strlen(UTF_PREFIX) * sizeof(u16); --- base-commit: cc13002a9f984d37906e9476f3e532a8cdd126f5 change-id: 20260402-hp-bioscfg-overflow-d58dbe53ecf5 Best regards, -- =20 Josh