From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Mon, 13 Apr 2026 14:37:18 +0200 Received: from metis.whiteo.stw.pengutronix.de ([2a0a:edc0:2:b01:1d::104]) by lore.white.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wCGXW-00BiVd-31 for lore@lore.pengutronix.de; Mon, 13 Apr 2026 14:37:18 +0200 Received: from bombadil.infradead.org ([2607:7c80:54:3::133]) by metis.whiteo.stw.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1wCGXW-0001mo-C0 for lore@pengutronix.de; Mon, 13 Apr 2026 14:37:18 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:Cc:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID:Date :Subject:To:From:Reply-To:Content-Type:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=r1wD0flV7sryPcS7wZBDr4+EmMdMRkt8ikXR8LbKfsc=; b=UfU14FtdKO8yf2 lQ5aNWQI94oT95VbDHy6t321mrnR1ZICH6L9sJIqNcm1SYtf6ToIA1wX4CJpC9+ZZXS7vau2eUu2h 69311X46FzV79GGflKZxUk4zEAzXiSS0+7QCB9u4FzSNyxvT9FpdvNY/NW+lbb3zYhR02RRWpT4aO 9ghULaUPJ7gJQbDcT92wd0+xKX2p2EM///xjbBll3kuDoo0vJqwb9UdRpo3ywFWFhvrU1jQl1xdmZ OW0rfeoFCm1DhKUQS/4QSPNTDjOilyF1rX1f3oLW2/nxLd+ayybccpe0rsP3UW0GQ+mnvf2mDFZ+A v0iORwc4t0KYOMneCkpg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.98.2 #2 (Red Hat Linux)) id 1wCGX9-0000000FfNB-3G07; Mon, 13 Apr 2026 12:36:55 +0000 Received: from desiato.infradead.org ([2001:8b0:10b:1:d65d:64ff:fe57:4e05]) by bombadil.infradead.org with esmtps (Exim 4.98.2 #2 (Red Hat Linux)) id 1wCGX8-0000000FfMR-2LDY for barebox@bombadil.infradead.org; Mon, 13 Apr 2026 12:36:54 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=desiato.20200630; h=Content-Transfer-Encoding:MIME-Version :References:In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To: Content-Type:Content-ID:Content-Description; bh=r1wD0flV7sryPcS7wZBDr4+EmMdMRkt8ikXR8LbKfsc=; b=pkNbjmPimLGS/MOhH36LPM+zol 6mc+I4d08snjYswPvye19fDGgOiMWgIOWlDVM6zhcTp+dUsD0BZQYpd8+Kb8IKf9u8L7UghANwrAy 4UsqkB0fbV/g/ysyxnEVaQi/4WZTGHSRhTdpTRFyVE+y+Ibc8pCRU7dBqMiCP1jyN47QHiD3KdMB+ olBLIRWEAchhZDUr8GVEtZ1l+/pbj1cgcIYy2EUvXBnlJ+QWAleaOmw/SKBAZty8FuCqRgZvNjR0w 9ZO4wOE44r8diQP3/G+e6dgS092fNJTkBJXV6FC2HmyD59fIHU7LGf7q69kcR7J7cs9deKTsPk5mf z4RipmDQ==; Received: from metis.whiteo.stw.pengutronix.de ([2a0a:edc0:2:b01:1d::104]) by desiato.infradead.org with esmtps (Exim 4.98.2 #2 (Red Hat Linux)) id 1wCGX2-0000000GnPF-40Ch for barebox@lists.infradead.org; Mon, 13 Apr 2026 12:36:53 +0000 Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2]) by metis.whiteo.stw.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1wCGX1-0001cd-Ph; Mon, 13 Apr 2026 14:36:47 +0200 Received: from dude02.red.stw.pengutronix.de ([2a0a:edc0:0:1101:1d::28]) by drehscheibe.grey.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wCGX1-005AoQ-1t; Mon, 13 Apr 2026 14:36:47 +0200 Received: from [::1] (helo=dude02.red.stw.pengutronix.de) by dude02.red.stw.pengutronix.de with esmtp (Exim 4.98.2) (envelope-from ) id 1wCGX1-0000000Eu3y-1zqC; Mon, 13 Apr 2026 14:36:47 +0200 From: Sascha Hauer To: Barebox List Date: Mon, 13 Apr 2026 14:36:44 +0200 Message-ID: <20260413123646.3552086-2-s.hauer@pengutronix.de> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260413123646.3552086-1-s.hauer@pengutronix.de> References: <20260413123646.3552086-1-s.hauer@pengutronix.de> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20260413_133651_691131_5E76C9FB X-CRM114-Status: GOOD ( 10.96 ) X-BeenThere: barebox@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Sascha Hauer , "Claude Opus 4.6 \(1M context\)" Sender: "barebox" X-SA-Exim-Connect-IP: 2607:7c80:54:3::133 X-SA-Exim-Mail-From: barebox-bounces+lore=pengutronix.de@lists.infradead.org X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on metis.whiteo.stw.pengutronix.de X-Spam-Level: X-Spam-Status: No, score=-5.2 required=4.0 tests=AWL,BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_NONE autolearn=unavailable autolearn_force=no version=3.4.2 Subject: [PATCH 2/4] efi: loader: validate section raw data bounds against image size X-SA-Exim-Version: 4.2.1 (built Wed, 08 May 2019 21:11:16 +0000) X-SA-Exim-Scanned: Yes (on metis.whiteo.stw.pengutronix.de) From: Sascha Hauer When loading PE sections, PointerToRawData and SizeOfRawData from the section header are used to memcpy from the input image without checking that the source region fits within the image buffer. A crafted PE with PointerToRawData pointing near the end of the file causes a read past the input buffer. Use size_add() for the bounds check so that the addition saturates to SIZE_MAX on overflow instead of wrapping, which would bypass the check on 32-bit architectures where unsigned long is 32 bits. Signed-off-by: Sascha Hauer Co-Authored-By: Claude Opus 4.6 (1M context) --- efi/loader/pe.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/efi/loader/pe.c b/efi/loader/pe.c index 7c5aaa1f91..3190718df5 100644 --- a/efi/loader/pe.c +++ b/efi/loader/pe.c @@ -706,6 +706,11 @@ efi_status_t efi_load_pe(struct efi_loaded_image_obj *handle, memset(efi_reloc + sec->VirtualAddress, 0, sec->Misc.VirtualSize); } + if (size_add(sec->PointerToRawData, copy_size) > efi_size) { + pr_err("Section %d exceeds image size\n", i); + ret = EFI_LOAD_ERROR; + goto err; + } memcpy(efi_reloc + sec->VirtualAddress, efi + sec->PointerToRawData, copy_size); -- 2.47.3