diff options
| author | Peter Jones <pjones@redhat.com> | 2023-07-27 15:21:31 -0400 |
|---|---|---|
| committer | Peter Jones <pjones@redhat.com> | 2023-12-05 13:20:00 -0500 |
| commit | 96dccc255b16e9465dbee50b3cef6b3db74d11c8 (patch) | |
| tree | 030933081a8182b81975d3bb65e5d5980e0db3b8 /include | |
| parent | afdc5039de0a4a3a40162a32daa070f94a883f09 (diff) | |
| download | efi-boot-shim-96dccc255b16e9465dbee50b3cef6b3db74d11c8.tar.gz efi-boot-shim-96dccc255b16e9465dbee50b3cef6b3db74d11c8.zip | |
CVE-2023-40548 Fix integer overflow on SBAT section size on 32-bit system
In verify_sbat_section(), we do some math on data that comes from the
binary being verified - in this case, we add 1 to the size of the
".sbat" section as reported in the section header, which is then used as
the input to the size of an allocation. The original value is then used
for a size in a memcpy(), which means there's an out-of-bounds write in
the overflow case.
Due to the type of the variable being size_t, but the type in the
section header being uint32_t, this is only plausibly accomplished on
32-bit systems.
This patch makes the arithmetic use a checked add operation to avoid
overflow. Additionally, it adds a check in verify_buffer_sbat() to
guarantee that the data is within the binary.
It's not currently known if this is actually exploitable on such
systems; the memory layout on a particular machine may further mitigate
this scenario.
Resolves: CVE-2023-40548
Reported-by: gkirkpatrick@google.com
Signed-off-by: Peter Jones <pjones@redhat.com>
Diffstat (limited to 'include')
0 files changed, 0 insertions, 0 deletions