diff options
| author | Peter Jones <pjones@redhat.com> | 2023-07-26 14:47:45 -0400 |
|---|---|---|
| committer | Peter Jones <pjones@redhat.com> | 2023-12-05 13:17:19 -0500 |
| commit | 5a5147d1e19cf90ec280990c84061ac3f67ea1ab (patch) | |
| tree | 1bfe6c4b713d8c83b9471970c16a49e0b7ad6975 /Cryptlib/opensslconf-diff.patch | |
| parent | 8372147528d6563966c4e201ece81674a824dc58 (diff) | |
| download | efi-boot-shim-5a5147d1e19cf90ec280990c84061ac3f67ea1ab.tar.gz efi-boot-shim-5a5147d1e19cf90ec280990c84061ac3f67ea1ab.zip | |
CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries
In read_header(), we attempt to parse the PE binary headers. In doing
so, if there is an MZ (i.e. MS-DOS) header, we locate the PE header by
finding the offset in that header. Unfortunately that is not correctly
bounds checked, and carefully chosen values can cause an out-of-bounds
ready beyond the end of the loaded binary.
Unfortunately the trivial fix (bounds check that value) also makes it
clear that the way we were determining if an image is loadable on this
platform and distinguishing between PE32 and PE32+ binaries has the
exact same issue going on, and so the fix includes reworking that logic
to correctly bounds check all of those tests as well.
It's not currently known if this is actually exploitable beyond creating
a denial of service, and an attacker who is in a position to use it for
a denial of service attack must already be able to do so.
Resolves: CVE-2023-40551
Reported-by: gkirkpatrick@google.com
Signed-off-by: Peter Jones <pjones@redhat.com>
Diffstat (limited to 'Cryptlib/opensslconf-diff.patch')
0 files changed, 0 insertions, 0 deletions