| Age | Commit message (Collapse) | Author |
|---|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
hughsie asked me to also make it observable at runtime whether the shim
binary that was used to boot was set as NX_COMPAT or not.
This adds that into the HSIStatus data as "shim-has-nx-compat-set".
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
When we're parsing the PE header of shim itself from the Loaded Image
object, the signatures aren't present, but the Certificate Table entry
in the Data Directory has not been cleared, so it'll fail verification.
We know when we're doing that, so this patch makes that test optional.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
GCC 4 doesn't have __builtin_add_overflow() and friends, so this results
in a compiler error.
On platforms using that version, do the arithmetic without it.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Several of our CVE fixes apparently were not well tested on 32-bit, and
needed some (uintptr_t) casts sprinkled about to build with
-Werror=pointer-to-int-cast.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
In CVE-2023-40550, we scan the section headers for the section
name without having verified that the section header is actually in the
binary.
This patch adds such verification to read_headers()
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Since the fuzzer already found one problem here, and none of that data
is intended to be trusted to begin with, it makes sense to use checked
math for all of the values read from the PE headers.
This updates all of that math to use checked arithmetic operations.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
In read_header(), we attempt to parse the PE binary headers. In doing
so, if there is an MZ (i.e. MS-DOS) header, we locate the PE header by
finding the offset in that header. Unfortunately that is not correctly
bounds checked, and carefully chosen values can cause an out-of-bounds
ready beyond the end of the loaded binary.
Unfortunately the trivial fix (bounds check that value) also makes it
clear that the way we were determining if an image is loadable on this
platform and distinguishing between PE32 and PE32+ binaries has the
exact same issue going on, and so the fix includes reworking that logic
to correctly bounds check all of those tests as well.
It's not currently known if this is actually exploitable beyond creating
a denial of service, and an attacker who is in a position to use it for
a denial of service attack must already be able to do so.
Resolves: CVE-2023-40551
Reported-by: gkirkpatrick@google.com
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
In 569270d8603d68308ad8bf8ef4cad4b09101d35e, the PE loader's address
sanitizing function, ImageAddress(), was changed to match the intended
behavior and the accompanying test case. Unfortunately, the PE
relocator uses this function to compute the last address in the
relocation directory, and as a result, any binary with a relocations
will trigger that edge condition and fail to load.
This patch changes that call to compute the address that's one byte
earlier. The only things the computed value is used for are a) testing
that the relocation *section* is valid, and b) serving as a limit for
iterating the relocations. Since a relocation is never less than two
bytes, this will still work.
[commit message re-written to be more informative by pjones]
Signed-off-by: Dennis Tseng <dennis.tseng@suse.com>
|
|
This adds a test case for our address sanitation checking function
ImageAddresS(). In doing so it addresses two issues:
- previously we allowed the address after the last byte of the image to
be computed (may need to revert this or fix some callers, we'll see...)
- bespoke overflow checking and using + directly instead of using
__builtin_add_overflow()
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
This moves the parts of pe.c that *don't* depend on Cryptlib into
pe-relocate.c, so we can write test cases for them without having to
make a second openssl build without EFI support.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
