[PATCH 2/4] efi: loader: validate section raw data bounds against image size
Ahmad Fatoum
a.fatoum at pengutronix.de
Tue Apr 14 01:46:38 PDT 2026
On 4/13/26 2:36 PM, Sascha Hauer wrote:
> From: Sascha Hauer <sascha at saschahauer.de>
>
> When loading PE sections, PointerToRawData and SizeOfRawData from the
> section header are used to memcpy from the input image without checking
> that the source region fits within the image buffer. A crafted PE with
> PointerToRawData pointing near the end of the file causes a read past
> the input buffer.
>
> Use size_add() for the bounds check so that the addition saturates to
> SIZE_MAX on overflow instead of wrapping, which would bypass the check
> on 32-bit architectures where unsigned long is 32 bits.
>
> Signed-off-by: Sascha Hauer <s.hauer at pengutronix.de>
>
> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply at anthropic.com>
Reviewed-by: Ahmad Fatoum <a.fatoum at pengutronix.de>
> ---
> efi/loader/pe.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/efi/loader/pe.c b/efi/loader/pe.c
> index 7c5aaa1f91..3190718df5 100644
> --- a/efi/loader/pe.c
> +++ b/efi/loader/pe.c
> @@ -706,6 +706,11 @@ efi_status_t efi_load_pe(struct efi_loaded_image_obj *handle,
> memset(efi_reloc + sec->VirtualAddress, 0,
> sec->Misc.VirtualSize);
> }
> + if (size_add(sec->PointerToRawData, copy_size) > efi_size) {
> + pr_err("Section %d exceeds image size\n", i);
> + ret = EFI_LOAD_ERROR;
> + goto err;
> + }
> memcpy(efi_reloc + sec->VirtualAddress,
> efi + sec->PointerToRawData,
> copy_size);
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
More information about the barebox
mailing list