48 lines
1.5 KiB
Diff
48 lines
1.5 KiB
Diff
From 93ce2552f3e9f71f888a672913bfc0eef255c56d Mon Sep 17 00:00:00 2001
|
|
From: Peter Jones <pjones@redhat.com>
|
|
Date: Thu, 27 Jul 2023 14:57:32 -0400
|
|
Subject: [PATCH] CVE-2023-40550 pe: Fix an out-of-bound read in
|
|
verify_buffer_sbat()
|
|
|
|
In verify_buffer_sbat(), we have a goal-seeking loop to find the .sbat
|
|
section header. Unfortunately, while the actual contents of the section
|
|
are checked for being inside the binary, no such check exists for the
|
|
contents of the section table entry.
|
|
|
|
As a result, a carefully constructed binary will cause an out-of-bounds
|
|
read checking if the section name is ".sbat\0\0\0" or not.
|
|
|
|
This patch adds a check that each section table entry is within the
|
|
bounds of the binary.
|
|
|
|
It's not currently known if this is actually exploitable beyond creating
|
|
a denial of service, and an attacker who is in a position to use it for
|
|
a denial of service attack must already be able to do so.
|
|
|
|
Resolves: CVE-2023-40550
|
|
Reported-by: gkirkpatrick@google.com
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
---
|
|
shim.c | 5 +++++
|
|
1 file changed, 5 insertions(+)
|
|
|
|
diff --git a/shim.c b/shim.c
|
|
index 01e5e56..3a97067 100644
|
|
--- a/shim.c
|
|
+++ b/shim.c
|
|
@@ -709,6 +709,11 @@ verify_buffer_sbat (char *data, int datasize,
|
|
|
|
Section = context->FirstSection;
|
|
for (i = 0; i < context->NumberOfSections; i++, Section++) {
|
|
+ if ((uint64_t)&Section[1] > (uint64_t)data + datasize) {
|
|
+ perror(L"Section exceeds bounds of image\n");
|
|
+ return EFI_UNSUPPORTED;
|
|
+ }
|
|
+
|
|
if (CompareMem(Section->Name, ".sbat\0\0\0", 8) != 0)
|
|
continue;
|
|
|
|
--
|
|
2.33.0
|
|
|