From mboxrd@z Thu Jan 1 00:00:00 1970 From: AKASHI Takahiro Date: Fri, 28 Aug 2020 10:27:36 +0900 Subject: [PATCH 1/1] efi_loader: check for image truncation In-Reply-To: <20200827162435.58430-1-xypron.glpk@gmx.de> References: <20200827162435.58430-1-xypron.glpk@gmx.de> Message-ID: <20200828012736.GA209121@laputa> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: u-boot@lists.denx.de On Thu, Aug 27, 2020 at 06:24:35PM +0200, Heinrich Schuchardt wrote: > Check in efi_load_pe() that the image size parameter is at least as large > as the image size indicated in the optional PE header. > > Signed-off-by: Heinrich Schuchardt > --- > lib/efi_loader/efi_image_loader.c | 28 +++++++++++++++++++++++----- > 1 file changed, 23 insertions(+), 5 deletions(-) > > diff --git a/lib/efi_loader/efi_image_loader.c b/lib/efi_loader/efi_image_loader.c > index 94f76ef6b8..e55ade3291 100644 > --- a/lib/efi_loader/efi_image_loader.c > +++ b/lib/efi_loader/efi_image_loader.c > @@ -761,6 +761,29 @@ efi_status_t efi_load_pe(struct efi_loaded_image_obj *handle, > goto err; > } > > + if (nt->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) { > + IMAGE_NT_HEADERS64 *nt64 = (void *)nt; > + > + if ((size_t)opt->SizeOfImage > efi_size) { > + log_err("Truncated Image\n"); > + ret = EFI_LOAD_ERROR; > + goto err; > + } > + } else if (nt->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) { > + IMAGE_OPTIONAL_HEADER32 *opt = &nt->OptionalHeader; > + > + if ((size_t)opt->SizeOfImage > efi_size) { > + log_err("Truncated Image\n"); > + ret = EFI_LOAD_ERROR; > + goto err; > + } > + } else { > + log_err("Invalid optional header magic %x\n", > + nt->OptionalHeader.Magic); > + ret = EFI_LOAD_ERROR; > + goto err; > + } Please remove the same message, which is now redundant, in efi_image_parse(). -Takahiro Akashi > + > /* Authenticate an image */ > if (efi_image_authenticate(efi, efi_size)) { > handle->auth_status = EFI_IMAGE_AUTH_PASSED; > @@ -810,11 +833,6 @@ efi_status_t efi_load_pe(struct efi_loaded_image_obj *handle, > rel_size = opt->DataDirectory[rel_idx].Size; > rel = efi_reloc + opt->DataDirectory[rel_idx].VirtualAddress; > virt_size = ALIGN(virt_size, opt->SectionAlignment); > - } else { > - log_err("Invalid optional header magic %x\n", > - nt->OptionalHeader.Magic); > - ret = EFI_LOAD_ERROR; > - goto err; > } > > /* Copy PE headers */ > -- > 2.28.0 >