uefi: memory safety fixes (UB!)

phip1611 · phip1611 · commit 707c8efe50dd · 2025-09-11T17:52:40.000+02:00
diff --git a/uefi-test-runner/examples/sierpinski.rs b/uefi-test-runner/examples/sierpinski.rs
@@ -48,9 +48,9 @@ impl Buffer {
     }
 
     /// Blit the buffer to the framebuffer.
-    fn blit(&self, gop: &mut GraphicsOutput) -> Result {
+    fn blit(&mut self, gop: &mut GraphicsOutput) -> Result {
         gop.blt(BltOp::BufferToVideo {
-            buffer: &self.pixels,
+            buffer: &mut self.pixels,
             src: BltRegion::Full,
             dest: (0, 0),
             dims: (self.width, self.height),
@@ -59,12 +59,12 @@ impl Buffer {
 
     /// Update only a pixel to the framebuffer.
     fn blit_pixel(
-        &self,
+        &mut self,
         gop: &mut GraphicsOutput,
         coords: (usize, usize),
     ) -> Result {
         gop.blt(BltOp::BufferToVideo {
-            buffer: &self.pixels,
+            buffer: &mut self.pixels,
             src: BltRegion::SubRectangle {
                 coords,
                 px_stride: self.width,
diff --git a/uefi/CHANGELOG.md b/uefi/CHANGELOG.md
@@ -23,6 +23,9 @@
   image in QEMU or Cloud Hypervisor, when the debugcon/debug-console device is
   available.
 - The documentation for UEFI protocols has been streamlined and improved.
+- Fixed memory safety bug in `SimpleNetwork::read_nv_data`. The `buffer`
+  parameter is now mutable.
+- Fixed memory safety bug in `GraphicsOutput::blt`
 
 # uefi - 0.35.0 (2025-05-04)
 
diff --git a/uefi/src/proto/console/gop.rs b/uefi/src/proto/console/gop.rs
@@ -201,7 +201,7 @@ impl GraphicsOutput {
                     match src_region {
                         BltRegion::Full => (self.0.blt)(
                             &mut self.0,
-                            buffer.as_ptr() as *mut _,
+                            buffer.as_mut_ptr().cast(),
                             GraphicsOutputBltOperation::BLT_BUFFER_TO_VIDEO,
                             0,
                             0,
@@ -217,7 +217,7 @@ impl GraphicsOutput {
                             px_stride,
                         } => (self.0.blt)(
                             &mut self.0,
-                            buffer.as_ptr() as *mut _,
+                            buffer.as_mut_ptr().cast(),
                             GraphicsOutputBltOperation::BLT_BUFFER_TO_VIDEO,
                             src_x,
                             src_y,
@@ -533,7 +533,7 @@ pub enum BltOp<'buf> {
     /// Delta must be the stride (count of bytes in a row) of the buffer.
     BufferToVideo {
         /// Buffer from which to copy data.
-        buffer: &'buf [BltPixel],
+        buffer: &'buf mut [BltPixel],
         /// Location of the source rectangle in the user-provided buffer.
         src: BltRegion,
         /// Coordinates of the destination rectangle, in the frame buffer.
diff --git a/uefi/src/proto/network/snp.rs b/uefi/src/proto/network/snp.rs
@@ -144,14 +144,14 @@ impl SimpleNetwork {
 
     /// Perform read operations on the NVRAM device attached to
     /// a network interface.
-    pub fn read_nv_data(&self, offset: usize, buffer: &[u8]) -> Result {
+    pub fn read_nv_data(&self, offset: usize, buffer: &mut [u8]) -> Result {
         unsafe {
             (self.0.non_volatile_data)(
                 &self.0,
                 Boolean::from(true),
                 offset,
                 buffer.len(),
-                buffer.as_ptr() as *mut c_void,
+                buffer.as_mut_ptr().cast(),
             )
         }
         .to_result()
