diff options
| author | Peter Jones <pjones@redhat.com> | 2023-07-27 17:59:22 -0400 |
|---|---|---|
| committer | Peter Jones <pjones@redhat.com> | 2023-12-05 13:19:54 -0500 |
| commit | e7f5fdf53ee68025f3ef2688e2f27ccb0082db83 (patch) | |
| tree | 14fd7f953c4662545954e6f9505dbcfecfe771e5 | |
| parent | 93ce2552f3e9f71f888a672913bfc0eef255c56d (diff) | |
| download | efi-boot-shim-e7f5fdf53ee68025f3ef2688e2f27ccb0082db83.tar.gz efi-boot-shim-e7f5fdf53ee68025f3ef2688e2f27ccb0082db83.zip | |
pe-relocate: Ensure nothing else implements CVE-2023-40550
In CVE-2023-40550, we scan the section headers for the section
name without having verified that the section header is actually in the
binary.
This patch adds such verification to read_headers()
Signed-off-by: Peter Jones <pjones@redhat.com>
| -rw-r--r-- | pe-relocate.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/pe-relocate.c b/pe-relocate.c index 1723642f..cb7a02ca 100644 --- a/pe-relocate.c +++ b/pe-relocate.c @@ -472,6 +472,13 @@ read_header(void *data, unsigned int datasize, return EFI_UNSUPPORTED; } + if (checked_mul((size_t)context->NumberOfSections, sizeof(EFI_IMAGE_SECTION_HEADER), &tmpsz0) || + checked_add(tmpsz0, SectionHeaderOffset, &tmpsz0) || + (tmpsz0 > datasize)) { + perror(L"Image sections overflow section headers\n"); + return EFI_UNSUPPORTED; + } + if (checked_sub((size_t)(uintptr_t)PEHdr, (size_t)(uintptr_t)data, &tmpsz0) || checked_add(tmpsz0, sizeof(EFI_IMAGE_OPTIONAL_HEADER_UNION), &tmpsz0) || (tmpsz0 > datasize)) { |