On 31/05/2024 16:41, Paolo Bonzini wrote: > On Fri, May 31, 2024 at 5:20 PM Liam Merwick <liam.merwick@xxxxxxxxxx> wrote: >>> + metadata = (OvmfSevMetadata *)(flash_ptr + flash_size - data->offset); >>> + if (memcmp(metadata->signature, "ASEV", 4) != 0) { >>> + return; >>> + } >>> + >>> + ovmf_sev_metadata_table = g_malloc(metadata->len); >> >> There should be a bounds check on metadata->len before using it. > > You mean like: > > if (metadata->len <= flash_size - data->offset) { > ovmf_sev_metadata_table = g_memdup2(metadata, metadata->len); > } > Yeah, and maybe before that if (metadata->len < sizeof(OvmfSevMetadata)) return But the main thing would be checking the upper bound to avoid allocating a huge amount of memory Regards, Liam