From: Sascha Hauer <s.hauer@pengutronix.de>
To: Barebox List <barebox@lists.infradead.org>
Cc: Sascha Hauer <sascha@saschahauer.de>,
"Claude Opus 4.6 \(1M context\)" <noreply@anthropic.com>
Subject: [PATCH 3/4] efi: loader: fix SizeOfBlock underflow in relocation processing
Date: Mon, 13 Apr 2026 14:36:45 +0200 [thread overview]
Message-ID: <20260413123646.3552086-3-s.hauer@pengutronix.de> (raw)
In-Reply-To: <20260413123646.3552086-1-s.hauer@pengutronix.de>
From: Sascha Hauer <sascha@saschahauer.de>
rel->SizeOfBlock is a uint32_t read from the PE image. If it is smaller
than sizeof(IMAGE_BASE_RELOCATION) (8 bytes), the subtraction
SizeOfBlock - sizeof(*rel) underflows. On 32-bit architectures (ARM,
i386, riscv32) the resulting huge unsigned value divided by 2 fits in a
positive int, causing the relocation loop to iterate billions of times,
reading and writing far past the relocation block.
Reject relocation blocks with SizeOfBlock smaller than the base
relocation header.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
efi/loader/pe.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/efi/loader/pe.c b/efi/loader/pe.c
index 3190718df5..ea385c8795 100644
--- a/efi/loader/pe.c
+++ b/efi/loader/pe.c
@@ -120,6 +120,10 @@ static efi_status_t efi_loader_relocate(const IMAGE_BASE_RELOCATION *rel,
end = (const IMAGE_BASE_RELOCATION *)((const char *)rel + rel_size);
while (rel + 1 < end && rel->SizeOfBlock) {
const uint16_t *relocs = (const uint16_t *)(rel + 1);
+
+ if (rel->SizeOfBlock < sizeof(*rel))
+ return EFI_LOAD_ERROR;
+
i = (rel->SizeOfBlock - sizeof(*rel)) / sizeof(uint16_t);
while (i--) {
uint32_t offset = (uint32_t)(*relocs & 0xfff) +
--
2.47.3
next prev parent reply other threads:[~2026-04-13 12:37 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-13 12:36 [PATCH 1/4] efi: loader: fix integer overflow in PE virt_size calculation Sascha Hauer
2026-04-13 12:36 ` [PATCH 2/4] efi: loader: validate section raw data bounds against image size Sascha Hauer
2026-04-14 8:46 ` Ahmad Fatoum
2026-04-13 12:36 ` Sascha Hauer [this message]
2026-04-14 8:47 ` [PATCH 3/4] efi: loader: fix SizeOfBlock underflow in relocation processing Ahmad Fatoum
2026-04-13 12:36 ` [PATCH 4/4] efi: loader: bounds-check relocation offsets against image size Sascha Hauer
2026-04-14 8:52 ` Ahmad Fatoum
2026-04-14 8:41 ` [PATCH 1/4] efi: loader: fix integer overflow in PE virt_size calculation Ahmad Fatoum
2026-04-14 10:06 ` Sascha Hauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260413123646.3552086-3-s.hauer@pengutronix.de \
--to=s.hauer@pengutronix.de \
--cc=barebox@lists.infradead.org \
--cc=noreply@anthropic.com \
--cc=sascha@saschahauer.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox