From 93ce2552f3e9f71f888a672913bfc0eef255c56d Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Thu, 27 Jul 2023 14:57:32 -0400 Subject: [PATCH] CVE-2023-40550 pe: Fix an out-of-bound read in verify_buffer_sbat() In verify_buffer_sbat(), we have a goal-seeking loop to find the .sbat section header. Unfortunately, while the actual contents of the section are checked for being inside the binary, no such check exists for the contents of the section table entry. As a result, a carefully constructed binary will cause an out-of-bounds read checking if the section name is ".sbat\0\0\0" or not. This patch adds a check that each section table entry is within the bounds of the binary. It's not currently known if this is actually exploitable beyond creating a denial of service, and an attacker who is in a position to use it for a denial of service attack must already be able to do so. Resolves: CVE-2023-40550 Reported-by: gkirkpatrick@google.com Signed-off-by: Peter Jones --- shim.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/shim.c b/shim.c index 01e5e56..3a97067 100644 --- a/shim.c +++ b/shim.c @@ -709,6 +709,11 @@ verify_buffer_sbat (char *data, int datasize, Section = context->FirstSection; for (i = 0; i < context->NumberOfSections; i++, Section++) { + if ((uint64_t)&Section[1] > (uint64_t)data + datasize) { + perror(L"Section exceeds bounds of image\n"); + return EFI_UNSUPPORTED; + } + if (CompareMem(Section->Name, ".sbat\0\0\0", 8) != 0) continue; -- 2.33.0