38 lines
1.2 KiB
Diff
38 lines
1.2 KiB
Diff
|
From e7f5fdf53ee68025f3ef2688e2f27ccb0082db83 Mon Sep 17 00:00:00 2001
|
||
|
|
From: Peter Jones <pjones@redhat.com>
|
||
|
|
Date: Thu, 27 Jul 2023 17:59:22 -0400
|
||
|
|
Subject: [PATCH] pe-relocate: Ensure nothing else implements CVE-2023-40550
|
||
|
|
|
||
|
|
In CVE-2023-40550, we scan the section headers for the section
|
||
|
|
name without having verified that the section header is actually in the
|
||
|
|
binary.
|
||
|
|
|
||
|
|
This patch adds such verification to read_headers()
|
||
|
|
|
||
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||
|
|
---
|
||
|
|
pe-relocate.c | 7 +++++++
|
||
|
|
1 file changed, 7 insertions(+)
|
||
|
|
|
||
|
|
diff --git a/pe-relocate.c b/pe-relocate.c
|
||
|
|
index 1723642..cb7a02c 100644
|
||
|
|
--- a/pe.c
|
||
|
|
+++ b/pe.c
|
||
|
|
@@ -472,6 +472,13 @@ read_header(void *data, unsigned int datasize,
|
||
|
|
return EFI_UNSUPPORTED;
|
||
|
|
}
|
||
|
|
|
||
|
|
+ if (checked_mul((size_t)context->NumberOfSections, sizeof(EFI_IMAGE_SECTION_HEADER), &tmpsz0) ||
|
||
|
|
+ checked_add(tmpsz0, SectionHeaderOffset, &tmpsz0) ||
|
||
|
|
+ (tmpsz0 > datasize)) {
|
||
|
|
+ perror(L"Image sections overflow section headers\n");
|
||
|
|
+ return EFI_UNSUPPORTED;
|
||
|
|
+ }
|
||
|
|
+
|
||
|
|
if (checked_sub((size_t)(uintptr_t)PEHdr, (size_t)(uintptr_t)data, &tmpsz0) ||
|
||
|
|
checked_add(tmpsz0, sizeof(EFI_IMAGE_OPTIONAL_HEADER_UNION), &tmpsz0) ||
|
||
|
|
(tmpsz0 > datasize)) {
|
||
|
|
--
|
||
|
|
2.33.0
|
||
|
|
|