[PATCH 1/4] efi: loader: fix integer overflow in PE virt_size calculation
Sascha Hauer
s.hauer at pengutronix.de
Tue Apr 14 03:06:13 PDT 2026
On Mon, 13 Apr 2026 14:36:43 +0200, Sascha Hauer wrote:
> sec->VirtualAddress and section_size() are both u32. Their addition can
> wrap on overflow before being widened to unsigned long by max_t. For
> example VirtualAddress=0xFFFF0000 + VirtualSize=0x20000 wraps to
> 0x10000, producing an undersized allocation. The subsequent memset and
> memcpy to efi_reloc + sec->VirtualAddress then write far past the
> allocated buffer.
>
> [...]
Applied, thanks!
[1/4] efi: loader: fix integer overflow in PE virt_size calculation
https://git.pengutronix.de/cgit/barebox/commit/?id=b6598389d46d (link may not be stable)
[2/4] efi: loader: validate section raw data bounds against image size
https://git.pengutronix.de/cgit/barebox/commit/?id=552a54e4d357 (link may not be stable)
[3/4] efi: loader: fix SizeOfBlock underflow in relocation processing
https://git.pengutronix.de/cgit/barebox/commit/?id=a848b6109544 (link may not be stable)
[4/4] efi: loader: bounds-check relocation offsets against image size
https://git.pengutronix.de/cgit/barebox/commit/?id=1e97eec23476 (link may not be stable)
Best regards,
--
Sascha Hauer <s.hauer at pengutronix.de>
More information about the barebox
mailing list