* [PATCH 2/4] efi: loader: validate section raw data bounds against image size
2026-04-13 12:36 [PATCH 1/4] efi: loader: fix integer overflow in PE virt_size calculation Sascha Hauer
@ 2026-04-13 12:36 ` Sascha Hauer
2026-04-14 8:46 ` Ahmad Fatoum
2026-04-13 12:36 ` [PATCH 3/4] efi: loader: fix SizeOfBlock underflow in relocation processing Sascha Hauer
` (3 subsequent siblings)
4 siblings, 1 reply; 9+ messages in thread
From: Sascha Hauer @ 2026-04-13 12:36 UTC (permalink / raw)
To: Barebox List; +Cc: Sascha Hauer, Claude Opus 4.6 (1M context)
From: Sascha Hauer <sascha@saschahauer.de>
When loading PE sections, PointerToRawData and SizeOfRawData from the
section header are used to memcpy from the input image without checking
that the source region fits within the image buffer. A crafted PE with
PointerToRawData pointing near the end of the file causes a read past
the input buffer.
Use size_add() for the bounds check so that the addition saturates to
SIZE_MAX on overflow instead of wrapping, which would bypass the check
on 32-bit architectures where unsigned long is 32 bits.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
efi/loader/pe.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/efi/loader/pe.c b/efi/loader/pe.c
index 7c5aaa1f91..3190718df5 100644
--- a/efi/loader/pe.c
+++ b/efi/loader/pe.c
@@ -706,6 +706,11 @@ efi_status_t efi_load_pe(struct efi_loaded_image_obj *handle,
memset(efi_reloc + sec->VirtualAddress, 0,
sec->Misc.VirtualSize);
}
+ if (size_add(sec->PointerToRawData, copy_size) > efi_size) {
+ pr_err("Section %d exceeds image size\n", i);
+ ret = EFI_LOAD_ERROR;
+ goto err;
+ }
memcpy(efi_reloc + sec->VirtualAddress,
efi + sec->PointerToRawData,
copy_size);
--
2.47.3
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: [PATCH 2/4] efi: loader: validate section raw data bounds against image size
2026-04-13 12:36 ` [PATCH 2/4] efi: loader: validate section raw data bounds against image size Sascha Hauer
@ 2026-04-14 8:46 ` Ahmad Fatoum
0 siblings, 0 replies; 9+ messages in thread
From: Ahmad Fatoum @ 2026-04-14 8:46 UTC (permalink / raw)
To: Sascha Hauer, Barebox List; +Cc: Sascha Hauer, Claude Opus 4.6 (1M context)
On 4/13/26 2:36 PM, Sascha Hauer wrote:
> From: Sascha Hauer <sascha@saschahauer.de>
>
> When loading PE sections, PointerToRawData and SizeOfRawData from the
> section header are used to memcpy from the input image without checking
> that the source region fits within the image buffer. A crafted PE with
> PointerToRawData pointing near the end of the file causes a read past
> the input buffer.
>
> Use size_add() for the bounds check so that the addition saturates to
> SIZE_MAX on overflow instead of wrapping, which would bypass the check
> on 32-bit architectures where unsigned long is 32 bits.
>
> Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
>
> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Reviewed-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
> ---
> efi/loader/pe.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/efi/loader/pe.c b/efi/loader/pe.c
> index 7c5aaa1f91..3190718df5 100644
> --- a/efi/loader/pe.c
> +++ b/efi/loader/pe.c
> @@ -706,6 +706,11 @@ efi_status_t efi_load_pe(struct efi_loaded_image_obj *handle,
> memset(efi_reloc + sec->VirtualAddress, 0,
> sec->Misc.VirtualSize);
> }
> + if (size_add(sec->PointerToRawData, copy_size) > efi_size) {
> + pr_err("Section %d exceeds image size\n", i);
> + ret = EFI_LOAD_ERROR;
> + goto err;
> + }
> memcpy(efi_reloc + sec->VirtualAddress,
> efi + sec->PointerToRawData,
> copy_size);
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH 3/4] efi: loader: fix SizeOfBlock underflow in relocation processing
2026-04-13 12:36 [PATCH 1/4] efi: loader: fix integer overflow in PE virt_size calculation Sascha Hauer
2026-04-13 12:36 ` [PATCH 2/4] efi: loader: validate section raw data bounds against image size Sascha Hauer
@ 2026-04-13 12:36 ` Sascha Hauer
2026-04-14 8:47 ` Ahmad Fatoum
2026-04-13 12:36 ` [PATCH 4/4] efi: loader: bounds-check relocation offsets against image size Sascha Hauer
` (2 subsequent siblings)
4 siblings, 1 reply; 9+ messages in thread
From: Sascha Hauer @ 2026-04-13 12:36 UTC (permalink / raw)
To: Barebox List; +Cc: Sascha Hauer, Claude Opus 4.6 (1M context)
From: Sascha Hauer <sascha@saschahauer.de>
rel->SizeOfBlock is a uint32_t read from the PE image. If it is smaller
than sizeof(IMAGE_BASE_RELOCATION) (8 bytes), the subtraction
SizeOfBlock - sizeof(*rel) underflows. On 32-bit architectures (ARM,
i386, riscv32) the resulting huge unsigned value divided by 2 fits in a
positive int, causing the relocation loop to iterate billions of times,
reading and writing far past the relocation block.
Reject relocation blocks with SizeOfBlock smaller than the base
relocation header.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
efi/loader/pe.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/efi/loader/pe.c b/efi/loader/pe.c
index 3190718df5..ea385c8795 100644
--- a/efi/loader/pe.c
+++ b/efi/loader/pe.c
@@ -120,6 +120,10 @@ static efi_status_t efi_loader_relocate(const IMAGE_BASE_RELOCATION *rel,
end = (const IMAGE_BASE_RELOCATION *)((const char *)rel + rel_size);
while (rel + 1 < end && rel->SizeOfBlock) {
const uint16_t *relocs = (const uint16_t *)(rel + 1);
+
+ if (rel->SizeOfBlock < sizeof(*rel))
+ return EFI_LOAD_ERROR;
+
i = (rel->SizeOfBlock - sizeof(*rel)) / sizeof(uint16_t);
while (i--) {
uint32_t offset = (uint32_t)(*relocs & 0xfff) +
--
2.47.3
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: [PATCH 3/4] efi: loader: fix SizeOfBlock underflow in relocation processing
2026-04-13 12:36 ` [PATCH 3/4] efi: loader: fix SizeOfBlock underflow in relocation processing Sascha Hauer
@ 2026-04-14 8:47 ` Ahmad Fatoum
0 siblings, 0 replies; 9+ messages in thread
From: Ahmad Fatoum @ 2026-04-14 8:47 UTC (permalink / raw)
To: Sascha Hauer, Barebox List; +Cc: Sascha Hauer, Claude Opus 4.6 (1M context)
On 4/13/26 2:36 PM, Sascha Hauer wrote:
> From: Sascha Hauer <sascha@saschahauer.de>
>
> rel->SizeOfBlock is a uint32_t read from the PE image. If it is smaller
> than sizeof(IMAGE_BASE_RELOCATION) (8 bytes), the subtraction
> SizeOfBlock - sizeof(*rel) underflows. On 32-bit architectures (ARM,
> i386, riscv32) the resulting huge unsigned value divided by 2 fits in a
> positive int, causing the relocation loop to iterate billions of times,
> reading and writing far past the relocation block.
>
> Reject relocation blocks with SizeOfBlock smaller than the base
> relocation header.
>
> Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
>
> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Reviewed-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
> ---
> efi/loader/pe.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/efi/loader/pe.c b/efi/loader/pe.c
> index 3190718df5..ea385c8795 100644
> --- a/efi/loader/pe.c
> +++ b/efi/loader/pe.c
> @@ -120,6 +120,10 @@ static efi_status_t efi_loader_relocate(const IMAGE_BASE_RELOCATION *rel,
> end = (const IMAGE_BASE_RELOCATION *)((const char *)rel + rel_size);
> while (rel + 1 < end && rel->SizeOfBlock) {
> const uint16_t *relocs = (const uint16_t *)(rel + 1);
> +
> + if (rel->SizeOfBlock < sizeof(*rel))
> + return EFI_LOAD_ERROR;
> +
> i = (rel->SizeOfBlock - sizeof(*rel)) / sizeof(uint16_t);
> while (i--) {
> uint32_t offset = (uint32_t)(*relocs & 0xfff) +
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH 4/4] efi: loader: bounds-check relocation offsets against image size
2026-04-13 12:36 [PATCH 1/4] efi: loader: fix integer overflow in PE virt_size calculation Sascha Hauer
2026-04-13 12:36 ` [PATCH 2/4] efi: loader: validate section raw data bounds against image size Sascha Hauer
2026-04-13 12:36 ` [PATCH 3/4] efi: loader: fix SizeOfBlock underflow in relocation processing Sascha Hauer
@ 2026-04-13 12:36 ` Sascha Hauer
2026-04-14 8:52 ` Ahmad Fatoum
2026-04-14 8:41 ` [PATCH 1/4] efi: loader: fix integer overflow in PE virt_size calculation Ahmad Fatoum
2026-04-14 10:06 ` Sascha Hauer
4 siblings, 1 reply; 9+ messages in thread
From: Sascha Hauer @ 2026-04-13 12:36 UTC (permalink / raw)
To: Barebox List; +Cc: Sascha Hauer, Claude Opus 4.6 (1M context)
From: Sascha Hauer <sascha@saschahauer.de>
The relocation VirtualAddress and page offset are read from the PE
image and used to compute a write offset into the allocated image
buffer without any bounds checking. A crafted relocation entry with a
large VirtualAddress writes past the efi_reloc allocation.
Pass the image size into efi_loader_relocate() and use size_add() to
check that the relocation offset plus the access width fits within the
buffer. size_add() saturates to SIZE_MAX on overflow, so the check
remains correct on 32-bit architectures.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
efi/loader/pe.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/efi/loader/pe.c b/efi/loader/pe.c
index ea385c8795..7d36d8c334 100644
--- a/efi/loader/pe.c
+++ b/efi/loader/pe.c
@@ -108,7 +108,8 @@ void efi_print_image_infos(void *pc)
*/
static efi_status_t efi_loader_relocate(const IMAGE_BASE_RELOCATION *rel,
unsigned long rel_size, void *efi_reloc,
- unsigned long pref_address)
+ unsigned long pref_address,
+ unsigned long image_size)
{
unsigned long delta = (unsigned long)efi_reloc - pref_address;
const IMAGE_BASE_RELOCATION *end;
@@ -133,6 +134,11 @@ static efi_status_t efi_loader_relocate(const IMAGE_BASE_RELOCATION *rel,
uint32_t *x32 = efi_reloc + offset;
uint16_t *x16 = efi_reloc + offset;
+ if (size_add(offset, sizeof(uint64_t)) > image_size) {
+ pr_err("Relocation offset exceeds image size\n");
+ return EFI_LOAD_ERROR;
+ }
+
switch (type) {
case IMAGE_REL_BASED_ABSOLUTE:
break;
@@ -722,7 +728,8 @@ efi_status_t efi_load_pe(struct efi_loaded_image_obj *handle,
/* Run through relocations */
if (efi_loader_relocate(rel, rel_size, efi_reloc,
- (unsigned long)image_base) != EFI_SUCCESS) {
+ (unsigned long)image_base,
+ virt_size) != EFI_SUCCESS) {
efi_free_pages((uintptr_t) efi_reloc,
(virt_size + EFI_PAGE_MASK) >> EFI_PAGE_SHIFT);
ret = EFI_LOAD_ERROR;
--
2.47.3
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: [PATCH 4/4] efi: loader: bounds-check relocation offsets against image size
2026-04-13 12:36 ` [PATCH 4/4] efi: loader: bounds-check relocation offsets against image size Sascha Hauer
@ 2026-04-14 8:52 ` Ahmad Fatoum
0 siblings, 0 replies; 9+ messages in thread
From: Ahmad Fatoum @ 2026-04-14 8:52 UTC (permalink / raw)
To: Sascha Hauer, Barebox List; +Cc: Sascha Hauer, Claude Opus 4.6 (1M context)
Hi,
On 4/13/26 2:36 PM, Sascha Hauer wrote:
> From: Sascha Hauer <sascha@saschahauer.de>
>
> The relocation VirtualAddress and page offset are read from the PE
> image and used to compute a write offset into the allocated image
> buffer without any bounds checking. A crafted relocation entry with a
> large VirtualAddress writes past the efi_reloc allocation.
>
> Pass the image size into efi_loader_relocate() and use size_add() to
> check that the relocation offset plus the access width fits within the
> buffer. size_add() saturates to SIZE_MAX on overflow, so the check
> remains correct on 32-bit architectures.
>
> Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
>
> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Reviewed-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
AFAICS, a 32-bit relocation at the absolute end of a binary would
erroneously trigger this check, but I think that's not worth
complicating the logic over.
Should that ever happen there's a helpful error message..
Cheers,
Ahmad
> ---
> efi/loader/pe.c | 11 +++++++++--
> 1 file changed, 9 insertions(+), 2 deletions(-)
>
> diff --git a/efi/loader/pe.c b/efi/loader/pe.c
> index ea385c8795..7d36d8c334 100644
> --- a/efi/loader/pe.c
> +++ b/efi/loader/pe.c
> @@ -108,7 +108,8 @@ void efi_print_image_infos(void *pc)
> */
> static efi_status_t efi_loader_relocate(const IMAGE_BASE_RELOCATION *rel,
> unsigned long rel_size, void *efi_reloc,
> - unsigned long pref_address)
> + unsigned long pref_address,
> + unsigned long image_size)
> {
> unsigned long delta = (unsigned long)efi_reloc - pref_address;
> const IMAGE_BASE_RELOCATION *end;
> @@ -133,6 +134,11 @@ static efi_status_t efi_loader_relocate(const IMAGE_BASE_RELOCATION *rel,
> uint32_t *x32 = efi_reloc + offset;
> uint16_t *x16 = efi_reloc + offset;
>
> + if (size_add(offset, sizeof(uint64_t)) > image_size) {
> + pr_err("Relocation offset exceeds image size\n");
> + return EFI_LOAD_ERROR;
> + }
> +
> switch (type) {
> case IMAGE_REL_BASED_ABSOLUTE:
> break;
> @@ -722,7 +728,8 @@ efi_status_t efi_load_pe(struct efi_loaded_image_obj *handle,
>
> /* Run through relocations */
> if (efi_loader_relocate(rel, rel_size, efi_reloc,
> - (unsigned long)image_base) != EFI_SUCCESS) {
> + (unsigned long)image_base,
> + virt_size) != EFI_SUCCESS) {
> efi_free_pages((uintptr_t) efi_reloc,
> (virt_size + EFI_PAGE_MASK) >> EFI_PAGE_SHIFT);
> ret = EFI_LOAD_ERROR;
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 1/4] efi: loader: fix integer overflow in PE virt_size calculation
2026-04-13 12:36 [PATCH 1/4] efi: loader: fix integer overflow in PE virt_size calculation Sascha Hauer
` (2 preceding siblings ...)
2026-04-13 12:36 ` [PATCH 4/4] efi: loader: bounds-check relocation offsets against image size Sascha Hauer
@ 2026-04-14 8:41 ` Ahmad Fatoum
2026-04-14 10:06 ` Sascha Hauer
4 siblings, 0 replies; 9+ messages in thread
From: Ahmad Fatoum @ 2026-04-14 8:41 UTC (permalink / raw)
To: Sascha Hauer, Barebox List; +Cc: Sascha Hauer, Claude Opus 4.6 (1M context)
On 4/13/26 2:36 PM, Sascha Hauer wrote:
> From: Sascha Hauer <sascha@saschahauer.de>
>
> sec->VirtualAddress and section_size() are both u32. Their addition can
> wrap on overflow before being widened to unsigned long by max_t. For
> example VirtualAddress=0xFFFF0000 + VirtualSize=0x20000 wraps to
> 0x10000, producing an undersized allocation. The subsequent memset and
> memcpy to efi_reloc + sec->VirtualAddress then write far past the
> allocated buffer.
>
> On ARM32 (which selects HAVE_EFI_LOADER), unsigned long is also 32 bits,
> so a section layout that overflows u32 cannot be mapped in the address
> space at all. Use check_add_overflow() to detect the wraparound and
> reject the PE image as corrupt.
>
> Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
>
> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Reviewed-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
> ---
> efi/loader/pe.c | 11 +++++++++--
> 1 file changed, 9 insertions(+), 2 deletions(-)
>
> diff --git a/efi/loader/pe.c b/efi/loader/pe.c
> index 3c30211f10..7c5aaa1f91 100644
> --- a/efi/loader/pe.c
> +++ b/efi/loader/pe.c
> @@ -23,6 +23,7 @@
> #include <pe.h>
> #include <qsort.h>
> #include <linux/err.h>
> +#include <linux/overflow.h>
>
> static int machines[] = {
> #if defined(__aarch64__)
> @@ -636,9 +637,15 @@ efi_status_t efi_load_pe(struct efi_loaded_image_obj *handle,
> /* Calculate upper virtual address boundary */
> for (i = num_sections - 1; i >= 0; i--) {
> IMAGE_SECTION_HEADER *sec = §ions[i];
> + unsigned long vs;
>
> - virt_size = max_t(unsigned long, virt_size,
> - sec->VirtualAddress + section_size(sec));
> + if (check_add_overflow((unsigned long)sec->VirtualAddress,
> + (unsigned long)section_size(sec), &vs)) {
> + pr_err("Section %d virtual address overflow\n", i);
> + return EFI_LOAD_ERROR;
> + }
> +
> + virt_size = max(virt_size, vs);
> }
>
> /* Read 32/64bit specific header bits */
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: [PATCH 1/4] efi: loader: fix integer overflow in PE virt_size calculation
2026-04-13 12:36 [PATCH 1/4] efi: loader: fix integer overflow in PE virt_size calculation Sascha Hauer
` (3 preceding siblings ...)
2026-04-14 8:41 ` [PATCH 1/4] efi: loader: fix integer overflow in PE virt_size calculation Ahmad Fatoum
@ 2026-04-14 10:06 ` Sascha Hauer
4 siblings, 0 replies; 9+ messages in thread
From: Sascha Hauer @ 2026-04-14 10:06 UTC (permalink / raw)
To: Barebox List, Sascha Hauer; +Cc: Sascha Hauer, Claude Opus 4.6 (1M context)
On Mon, 13 Apr 2026 14:36:43 +0200, Sascha Hauer wrote:
> sec->VirtualAddress and section_size() are both u32. Their addition can
> wrap on overflow before being widened to unsigned long by max_t. For
> example VirtualAddress=0xFFFF0000 + VirtualSize=0x20000 wraps to
> 0x10000, producing an undersized allocation. The subsequent memset and
> memcpy to efi_reloc + sec->VirtualAddress then write far past the
> allocated buffer.
>
> [...]
Applied, thanks!
[1/4] efi: loader: fix integer overflow in PE virt_size calculation
https://git.pengutronix.de/cgit/barebox/commit/?id=b6598389d46d (link may not be stable)
[2/4] efi: loader: validate section raw data bounds against image size
https://git.pengutronix.de/cgit/barebox/commit/?id=552a54e4d357 (link may not be stable)
[3/4] efi: loader: fix SizeOfBlock underflow in relocation processing
https://git.pengutronix.de/cgit/barebox/commit/?id=a848b6109544 (link may not be stable)
[4/4] efi: loader: bounds-check relocation offsets against image size
https://git.pengutronix.de/cgit/barebox/commit/?id=1e97eec23476 (link may not be stable)
Best regards,
--
Sascha Hauer <s.hauer@pengutronix.de>
^ permalink raw reply [flat|nested] 9+ messages in thread