From: Tzung-Bi Shih <tzungbi@kernel.org>
To: Titouan Ameline de Cadeville <titouan.ameline@gmail.com>
Cc: briannorris@chromium.org, jwerner@chromium.org,
chrome-platform@lists.linux.dev, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] firmware: google: add bounds checks in coreboot_table_populate()
Date: Tue, 28 Apr 2026 02:44:59 +0000 [thread overview]
Message-ID: <afAfK_uK0tir4a9z@google.com> (raw)
In-Reply-To: <20260426214739.117131-1-titouan.ameline@gmail.com>
On Sun, Apr 26, 2026 at 11:47:39PM +0200, Titouan Ameline de Cadeville wrote:
> coreboot_table_populate() iterates over firmware-provided table entries
> with no validation that the entries stay within the mapped memory region.
> A corrupt table with a large entry->size advances ptr_entry past the
> mapped region, causing an out-of-bounds read on the next iteration.
>
> Add a check before dereferencing ptr_entry to ensure the entry header
> is readable, and a second check after reading entry->size to ensure the
> full entry stays within the mapped region.
>
> Pass len from coreboot_table_probe() into coreboot_table_populate() to
> make the mapped region size available for validation.
To be fair, the `len` is also from the firmware. If it's corrupted as well,
the out-of-bounds read could still happen.
>
> [...]
Applied to
https://git.kernel.org/pub/scm/linux/kernel/git/chrome-platform/linux.git for-firmware-next
[1/1] firmware: google: add bounds checks in coreboot_table_populate()
commit: 7b1a1af4556a4f95ef273e91435fe804cbfcd223
Thanks!
prev parent reply other threads:[~2026-04-28 2:45 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-26 21:47 [PATCH] firmware: google: add bounds checks in coreboot_table_populate() Titouan Ameline de Cadeville
2026-04-27 18:55 ` Julius Werner
2026-04-28 2:38 ` Tzung-Bi Shih
2026-04-28 2:44 ` Tzung-Bi Shih [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=afAfK_uK0tir4a9z@google.com \
--to=tzungbi@kernel.org \
--cc=briannorris@chromium.org \
--cc=chrome-platform@lists.linux.dev \
--cc=jwerner@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=titouan.ameline@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox