* [PATCH] firmware: google: add bounds checks in coreboot_table_populate()
@ 2026-04-26 21:47 Titouan Ameline de Cadeville
2026-04-27 18:55 ` Julius Werner
2026-04-28 2:44 ` Tzung-Bi Shih
0 siblings, 2 replies; 4+ messages in thread
From: Titouan Ameline de Cadeville @ 2026-04-26 21:47 UTC (permalink / raw)
To: tzungbi
Cc: briannorris, jwerner, chrome-platform, linux-kernel,
Titouan Ameline de Cadeville
coreboot_table_populate() iterates over firmware-provided table entries
with no validation that the entries stay within the mapped memory region.
A corrupt table with a large entry->size advances ptr_entry past the
mapped region, causing an out-of-bounds read on the next iteration.
Add a check before dereferencing ptr_entry to ensure the entry header
is readable, and a second check after reading entry->size to ensure the
full entry stays within the mapped region.
Pass len from coreboot_table_probe() into coreboot_table_populate() to
make the mapped region size available for validation.
Signed-off-by: Titouan Ameline de Cadeville <titouan.ameline@gmail.com>
---
drivers/firmware/google/coreboot_table.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/firmware/google/coreboot_table.c b/drivers/firmware/google/coreboot_table.c
index c769631ea15d..233939e548b4 100644
--- a/drivers/firmware/google/coreboot_table.c
+++ b/drivers/firmware/google/coreboot_table.c
@@ -112,16 +112,20 @@ void coreboot_driver_unregister(struct coreboot_driver *driver)
}
EXPORT_SYMBOL(coreboot_driver_unregister);
-static int coreboot_table_populate(struct device *dev, void *ptr)
+static int coreboot_table_populate(struct device *dev, void *ptr, resource_size_t len)
{
int i, ret;
void *ptr_entry;
struct coreboot_device *device;
struct coreboot_table_entry *entry;
struct coreboot_table_header *header = ptr;
+ void *ptr_end;
+ ptr_end = ptr + len;
ptr_entry = ptr + header->header_bytes;
for (i = 0; i < header->table_entries; i++) {
+ if (ptr_entry + sizeof(*entry) > ptr_end)
+ return -EINVAL;
entry = ptr_entry;
if (entry->size < sizeof(*entry)) {
@@ -129,6 +133,9 @@ static int coreboot_table_populate(struct device *dev, void *ptr)
return -EINVAL;
}
+ if (ptr_entry + entry->size > ptr_end)
+ return -EINVAL;
+
device = kzalloc(sizeof(device->dev) + entry->size, GFP_KERNEL);
if (!device)
return -ENOMEM;
@@ -194,7 +201,7 @@ static int coreboot_table_probe(struct platform_device *pdev)
if (!ptr)
return -ENOMEM;
- ret = coreboot_table_populate(dev, ptr);
+ ret = coreboot_table_populate(dev, ptr, len);
memunmap(ptr);
--
2.44.2
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH] firmware: google: add bounds checks in coreboot_table_populate()
2026-04-26 21:47 [PATCH] firmware: google: add bounds checks in coreboot_table_populate() Titouan Ameline de Cadeville
@ 2026-04-27 18:55 ` Julius Werner
2026-04-28 2:38 ` Tzung-Bi Shih
2026-04-28 2:44 ` Tzung-Bi Shih
1 sibling, 1 reply; 4+ messages in thread
From: Julius Werner @ 2026-04-27 18:55 UTC (permalink / raw)
To: Titouan Ameline de Cadeville
Cc: tzungbi, briannorris, jwerner, chrome-platform, linux-kernel
Reviewed-by: Julius Werner <jwerner@chromium.org>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] firmware: google: add bounds checks in coreboot_table_populate()
2026-04-26 21:47 [PATCH] firmware: google: add bounds checks in coreboot_table_populate() Titouan Ameline de Cadeville
2026-04-27 18:55 ` Julius Werner
@ 2026-04-28 2:44 ` Tzung-Bi Shih
1 sibling, 0 replies; 4+ messages in thread
From: Tzung-Bi Shih @ 2026-04-28 2:44 UTC (permalink / raw)
To: Titouan Ameline de Cadeville
Cc: briannorris, jwerner, chrome-platform, linux-kernel
On Sun, Apr 26, 2026 at 11:47:39PM +0200, Titouan Ameline de Cadeville wrote:
> coreboot_table_populate() iterates over firmware-provided table entries
> with no validation that the entries stay within the mapped memory region.
> A corrupt table with a large entry->size advances ptr_entry past the
> mapped region, causing an out-of-bounds read on the next iteration.
>
> Add a check before dereferencing ptr_entry to ensure the entry header
> is readable, and a second check after reading entry->size to ensure the
> full entry stays within the mapped region.
>
> Pass len from coreboot_table_probe() into coreboot_table_populate() to
> make the mapped region size available for validation.
To be fair, the `len` is also from the firmware. If it's corrupted as well,
the out-of-bounds read could still happen.
>
> [...]
Applied to
https://git.kernel.org/pub/scm/linux/kernel/git/chrome-platform/linux.git for-firmware-next
[1/1] firmware: google: add bounds checks in coreboot_table_populate()
commit: 7b1a1af4556a4f95ef273e91435fe804cbfcd223
Thanks!
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-04-28 2:45 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-26 21:47 [PATCH] firmware: google: add bounds checks in coreboot_table_populate() Titouan Ameline de Cadeville
2026-04-27 18:55 ` Julius Werner
2026-04-28 2:38 ` Tzung-Bi Shih
2026-04-28 2:44 ` Tzung-Bi Shih
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox