Re: [edk2] what is GetVariable() security issue?

Subject: Re: [edk2] what is GetVariable() security issue?

From: Laszlo Ersek <lersek@redhat.com>

To: edk2-devel@lists.sourceforge.net

Date: 2012-08-20 16:48:30

On 08/20/12 08:08, winddy wrote:
> Dear Expert,
>    I find in UefiLib.c, function GetVariable() will not be used any more. 
>    In function header, it comment that "This function will be deprecated
> for security reason".
>    May I know what is that security reason?
>    Thanks.
> 
> 
> [ATTENTION] This function will be deprecated for security reason.
> VOID *
> EFIAPI
> GetVariable (
>   IN CONST CHAR16    *Name,
>   IN CONST EFI_GUID  *Guid
>   );
> 
> ------------------
> BR
> winddy_zhang

I guess the security reason is that the size of the global variable is
not returned, and the caller must rely on NUL-termination or another way
to figure out the size. See svn rev 13375 and GetEfiGlobalVariable2().

Laszlo

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/edk2-devel