From: Ahmad Fatoum <a.fatoum@pengutronix.de>
To: Sascha Hauer <s.hauer@pengutronix.de>,
Barebox List <barebox@lists.infradead.org>
Cc: Sascha Hauer <sascha@saschahauer.de>,
"Claude Opus 4.6 (1M context)" <noreply@anthropic.com>
Subject: Re: [PATCH 4/4] efi: loader: bounds-check relocation offsets against image size
Date: Tue, 14 Apr 2026 10:52:20 +0200 [thread overview]
Message-ID: <25f50d9e-828c-4083-afed-7f43107a9691@pengutronix.de> (raw)
In-Reply-To: <20260413123646.3552086-4-s.hauer@pengutronix.de>
Hi,
On 4/13/26 2:36 PM, Sascha Hauer wrote:
> From: Sascha Hauer <sascha@saschahauer.de>
>
> The relocation VirtualAddress and page offset are read from the PE
> image and used to compute a write offset into the allocated image
> buffer without any bounds checking. A crafted relocation entry with a
> large VirtualAddress writes past the efi_reloc allocation.
>
> Pass the image size into efi_loader_relocate() and use size_add() to
> check that the relocation offset plus the access width fits within the
> buffer. size_add() saturates to SIZE_MAX on overflow, so the check
> remains correct on 32-bit architectures.
>
> Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
>
> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Reviewed-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
AFAICS, a 32-bit relocation at the absolute end of a binary would
erroneously trigger this check, but I think that's not worth
complicating the logic over.
Should that ever happen there's a helpful error message..
Cheers,
Ahmad
> ---
> efi/loader/pe.c | 11 +++++++++--
> 1 file changed, 9 insertions(+), 2 deletions(-)
>
> diff --git a/efi/loader/pe.c b/efi/loader/pe.c
> index ea385c8795..7d36d8c334 100644
> --- a/efi/loader/pe.c
> +++ b/efi/loader/pe.c
> @@ -108,7 +108,8 @@ void efi_print_image_infos(void *pc)
> */
> static efi_status_t efi_loader_relocate(const IMAGE_BASE_RELOCATION *rel,
> unsigned long rel_size, void *efi_reloc,
> - unsigned long pref_address)
> + unsigned long pref_address,
> + unsigned long image_size)
> {
> unsigned long delta = (unsigned long)efi_reloc - pref_address;
> const IMAGE_BASE_RELOCATION *end;
> @@ -133,6 +134,11 @@ static efi_status_t efi_loader_relocate(const IMAGE_BASE_RELOCATION *rel,
> uint32_t *x32 = efi_reloc + offset;
> uint16_t *x16 = efi_reloc + offset;
>
> + if (size_add(offset, sizeof(uint64_t)) > image_size) {
> + pr_err("Relocation offset exceeds image size\n");
> + return EFI_LOAD_ERROR;
> + }
> +
> switch (type) {
> case IMAGE_REL_BASED_ABSOLUTE:
> break;
> @@ -722,7 +728,8 @@ efi_status_t efi_load_pe(struct efi_loaded_image_obj *handle,
>
> /* Run through relocations */
> if (efi_loader_relocate(rel, rel_size, efi_reloc,
> - (unsigned long)image_base) != EFI_SUCCESS) {
> + (unsigned long)image_base,
> + virt_size) != EFI_SUCCESS) {
> efi_free_pages((uintptr_t) efi_reloc,
> (virt_size + EFI_PAGE_MASK) >> EFI_PAGE_SHIFT);
> ret = EFI_LOAD_ERROR;
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
next prev parent reply other threads:[~2026-04-14 8:52 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-13 12:36 [PATCH 1/4] efi: loader: fix integer overflow in PE virt_size calculation Sascha Hauer
2026-04-13 12:36 ` [PATCH 2/4] efi: loader: validate section raw data bounds against image size Sascha Hauer
2026-04-14 8:46 ` Ahmad Fatoum
2026-04-13 12:36 ` [PATCH 3/4] efi: loader: fix SizeOfBlock underflow in relocation processing Sascha Hauer
2026-04-14 8:47 ` Ahmad Fatoum
2026-04-13 12:36 ` [PATCH 4/4] efi: loader: bounds-check relocation offsets against image size Sascha Hauer
2026-04-14 8:52 ` Ahmad Fatoum [this message]
2026-04-14 8:41 ` [PATCH 1/4] efi: loader: fix integer overflow in PE virt_size calculation Ahmad Fatoum
2026-04-14 10:06 ` Sascha Hauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=25f50d9e-828c-4083-afed-7f43107a9691@pengutronix.de \
--to=a.fatoum@pengutronix.de \
--cc=barebox@lists.infradead.org \
--cc=noreply@anthropic.com \
--cc=s.hauer@pengutronix.de \
--cc=sascha@saschahauer.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox