[PATCH 2/4] efi: loader: validate section raw data bounds against image size

[Sascha Hauer]

From: Sascha Hauer <sascha at saschahauer.de>

When loading PE sections, PointerToRawData and SizeOfRawData from the
section header are used to memcpy from the input image without checking
that the source region fits within the image buffer. A crafted PE with
PointerToRawData pointing near the end of the file causes a read past
the input buffer.

Use size_add() for the bounds check so that the addition saturates to
SIZE_MAX on overflow instead of wrapping, which would bypass the check
on 32-bit architectures where unsigned long is 32 bits.

Signed-off-by: Sascha Hauer <s.hauer at pengutronix.de>

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply at anthropic.com>
---
 efi/loader/pe.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/efi/loader/pe.c b/efi/loader/pe.c
index 7c5aaa1f91..3190718df5 100644
--- a/efi/loader/pe.c
+++ b/efi/loader/pe.c
@@ -706,6 +706,11 @@ efi_status_t efi_load_pe(struct efi_loaded_image_obj *handle,
 			memset(efi_reloc + sec->VirtualAddress, 0,
 			       sec->Misc.VirtualSize);
 		}
+		if (size_add(sec->PointerToRawData, copy_size) > efi_size) {
+			pr_err("Section %d exceeds image size\n", i);
+			ret = EFI_LOAD_ERROR;
+			goto err;
+		}
 		memcpy(efi_reloc + sec->VirtualAddress,
 		       efi + sec->PointerToRawData,
 		       copy_size);
-- 
2.47.3