From: Tzung-Bi Shih <tzungbi@kernel.org>
To: Titouan Ameline de Cadeville <titouan.ameline@gmail.com>
Cc: briannorris@chromium.org, jwerner@chromium.org,
chrome-platform@lists.linux.dev, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] firmware: google: add bounds checks in coreboot_table_populate()
Date: Tue, 28 Apr 2026 02:44:59 +0000 [thread overview]
Message-ID: <afAfK_uK0tir4a9z@google.com> (raw)
In-Reply-To: <20260426214739.117131-1-titouan.ameline@gmail.com>
On Sun, Apr 26, 2026 at 11:47:39PM +0200, Titouan Ameline de Cadeville wrote:
> coreboot_table_populate() iterates over firmware-provided table entries
> with no validation that the entries stay within the mapped memory region.
> A corrupt table with a large entry->size advances ptr_entry past the
> mapped region, causing an out-of-bounds read on the next iteration.
>
> Add a check before dereferencing ptr_entry to ensure the entry header
> is readable, and a second check after reading entry->size to ensure the
> full entry stays within the mapped region.
>
> Pass len from coreboot_table_probe() into coreboot_table_populate() to
> make the mapped region size available for validation.
To be fair, the `len` is also from the firmware. If it's corrupted as well,
the out-of-bounds read could still happen.
>
> [...]
Applied to
https://git.kernel.org/pub/scm/linux/kernel/git/chrome-platform/linux.git for-firmware-next
[1/1] firmware: google: add bounds checks in coreboot_table_populate()
commit: 7b1a1af4556a4f95ef273e91435fe804cbfcd223
Thanks!
prev parent reply other threads:[~2026-04-28 2:45 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-26 21:47 [PATCH] firmware: google: add bounds checks in coreboot_table_populate() Titouan Ameline de Cadeville
2026-04-27 18:55 ` Julius Werner
2026-04-28 2:38 ` Tzung-Bi Shih
2026-04-28 2:44 ` Tzung-Bi Shih [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=afAfK_uK0tir4a9z@google.com \
--to=tzungbi@kernel.org \
--cc=briannorris@chromium.org \
--cc=chrome-platform@lists.linux.dev \
--cc=jwerner@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=titouan.ameline@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.