efi_loader: don't load beyond VirtualSize

Message ID	20210209062150.mmshhxissljf6fak@talia.n4wrvuuuhszuhem3na2pm5saea.px.internal.cloudapp.net
State	Accepted, archived
Commit	9d30a941cce5ed055da18398f4deba18830d00d6
Delegated to:	Heinrich Schuchardt
Headers	show Return-Path: <u-boot-bounces@lists.denx.de> Date: Tue, 9 Feb 2021 06:21:50 +0000 From: Asherah Connor <ashe@kivikakk.ee> To: u-boot@lists.denx.de Subject: [PATCH] efi_loader: don't load beyond VirtualSize Message-ID: <20210209062150.mmshhxissljf6fak@talia.n4wrvuuuhszuhem3na2pm5saea.px.internal.cloudapp.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Precedence: list Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
Series	efi_loader: don't load beyond VirtualSize \| expand efi_loader: don't load beyond VirtualSize

Message ID

20210209062150.mmshhxissljf6fak@talia.n4wrvuuuhszuhem3na2pm5saea.px.internal.cloudapp.net

State

Accepted, archived

Commit

9d30a941cce5ed055da18398f4deba18830d00d6

Delegated to:

Heinrich Schuchardt

Headers

show

Return-Path: <u-boot-bounces@lists.denx.de>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de
 (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de;
 envelope-from=u-boot-bounces@lists.denx.de; receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dkim=pass (2048-bit key;
 unprotected) header.d=kivikakk.ee header.i=@kivikakk.ee header.a=rsa-sha256
 header.s=fm3 header.b=2ivXkSQ/;
	dkim=pass (2048-bit key;
 unprotected) header.d=messagingengine.com header.i=@messagingengine.com
 header.a=rsa-sha256 header.s=fm2 header.b=XbtDi8oL;
	dkim-atps=neutral
Received: from phobos.denx.de (phobos.denx.de
 [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4DZhZk01Pxz9sVb
	for <incoming@patchwork.ozlabs.org>; Tue,  9 Feb 2021 23:11:32 +1100 (AEDT)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id DB106829F8;
	Tue,  9 Feb 2021 13:11:17 +0100 (CET)
Authentication-Results: phobos.denx.de;
 dmarc=none (p=none dis=none) header.from=kivikakk.ee
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=pass (2048-bit key;
 unprotected) header.d=kivikakk.ee header.i=@kivikakk.ee header.b="2ivXkSQ/";
	dkim=pass (2048-bit key;
 unprotected) header.d=messagingengine.com header.i=@messagingengine.com
 header.b="XbtDi8oL";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id 74622829C6; Tue,  9 Feb 2021 07:21:58 +0100 (CET)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de
X-Spam-Level: 
X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
 DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS autolearn=ham
 autolearn_force=no version=3.4.2
Received: from wnew1-smtp.messagingengine.com (wnew1-smtp.messagingengine.com
 [64.147.123.26])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id 9DEC2829B9
 for <u-boot@lists.denx.de>; Tue,  9 Feb 2021 07:21:55 +0100 (CET)
Authentication-Results: phobos.denx.de;
 dmarc=none (p=none dis=none) header.from=kivikakk.ee
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=ashe@kivikakk.ee
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45])
 by mailnew.west.internal (Postfix) with ESMTP id 929EC9D0
 for <u-boot@lists.denx.de>; Tue,  9 Feb 2021 01:21:53 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163])
 by compute5.internal (MEProxy); Tue, 09 Feb 2021 01:21:53 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kivikakk.ee; h=
 date:from:to:subject:message-id:mime-version:content-type; s=
 fm3; bh=7qo0JYChiygpj2O9khdCe4OL6IYuR/jhIPpQp+ryEtQ=; b=2ivXkSQ/
 fBaynqhlaFj7OD+nKocdl0TPaWTfaFE2bsk1GxFPJ2tFmT+YqoH15r8ytQNPTssp
 EverVGUHTR+Jw62eEKfI1b95+f0H44+cUIV6d8I1OmhtvSi46jWQoqczi9mnYMYu
 zs26NC2p5OP0l/DaQTbgQZt9XI1BG52FbsG7vM5yUCzHROpZCDy+PIUDV6YfrzLk
 oVd/NiYnJEtx19gBrOCBtA3K2aXmmXp9VjIQQC3RtC8+oA6zAEjqQqSv4pAi7b7I
 Grgmw5OtAFenWx/iX1S1gGpWVYKvPUNJNL+KRucDyUtEJeCe0L7Eb66XTCwY3Gqf
 H2WjasIGX3BquA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-type:date:from:message-id
 :mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender
 :x-me-sender:x-sasl-enc; s=fm2; bh=7qo0JYChiygpj2O9khdCe4OL6IYuR
 /jhIPpQp+ryEtQ=; b=XbtDi8oLNgDcOx3a34Nl6qZq1AUDa63WbWaQSDAICRr4N
 BrTwxTLGOwPeICrmoVF4o/P1OyEsRbbCIECS/pJ0eSQNw9bThrTHaBfej5K+bhDs
 TkKy2hPObCPUNA85gJ1LPoPEBRVjQDB0I79LKPAriWi9PbX/JjQ4Wb97RVYg/I6A
 F5U1WWPprWe1QKRAFe24gUO4qf8s08BMAKWHXiJ5lfcbkRO1J4T4o2oM77jzv9/v
 rJNhmOFbnpkHH/1hJxG1Awcc3svbA5kBOjLOX0CchzyXE4jtbL098SDErqKIApzC
 M2ICcLvX9OaDFYCUejUHCmwZYFEc1JMawFVzj0SgQ==
X-ME-Sender: <xms:ACoiYLkARPZwxQWkqWNAJUm2CZd9rtZJxn1QC4eE-QWGZVjnKYkdjg>
 <xme:ACoiYO2gHFTvBsh03CBW97VjvN4161IrQZbMFT_MDKbXOBx4e_Gia2BuPkAeK1_AK
 73TYJdN1Ju_nWiP3rY>
X-ME-Proxy-Cause: 
 gggruggvucftvghtrhhoucdtuddrgeduledrheeggdelhecutefuodetggdotefrodftvf
 curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu
 uegrihhlohhuthemuceftddtnecunecujfgurhepfffhvffukfggtggusehttdertddttd
 dvnecuhfhrohhmpeetshhhvghrrghhucevohhnnhhorhcuoegrshhhvgeskhhivhhikhgr
 khhkrdgvvgeqnecuggftrfgrthhtvghrnhepueeujeeugedvjeekteffgeelfeejjeethf
 fffeegieehvdeitdekieeuhfegffegnecukfhppedufedrjeefrddvtdeirdeiudenucev
 lhhushhtvghrufhiiigvpedunecurfgrrhgrmhepmhgrihhlfhhrohhmpegrshhhvgeskh
 hivhhikhgrkhhkrdgvvg
X-ME-Proxy: <xmx:ASoiYBrLoWAGy0WgQ4ZxxeOusRIyVongivXyukxG8ytE2I2pkMUYrg>
 <xmx:ASoiYDlCOI6aRB5KMlc5Caf0ibf9Uo3MxKZLUnEvU29gcXGlsy3M9w>
 <xmx:ASoiYJ0sQ9BhwJjkiFameAX19KagbSHyyypnQFTw6f39TwUW1sGrhA>
 <xmx:ASoiYKBpRInJPl994dGzv5zMWw3x95HXTw1Czu5wmp6S2DGbt0wAgcnn6uM>
Received: from talia.n4wrvuuuhszuhem3na2pm5saea.px.internal.cloudapp.net
 (talia.hrzn.ee [13.73.206.61])
 by mail.messagingengine.com (Postfix) with ESMTPA id 43876108005C
 for <u-boot@lists.denx.de>; Tue,  9 Feb 2021 01:21:52 -0500 (EST)
Date: Tue, 9 Feb 2021 06:21:50 +0000
From: Asherah Connor <ashe@kivikakk.ee>
To: u-boot@lists.denx.de
Subject: [PATCH] efi_loader: don't load beyond VirtualSize
Message-ID: 
 <20210209062150.mmshhxissljf6fak@talia.n4wrvuuuhszuhem3na2pm5saea.px.internal.cloudapp.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Mailman-Approved-At: Tue, 09 Feb 2021 13:11:16 +0100
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de
X-Virus-Status: Clean

Series

efi_loader: don't load beyond VirtualSize | expand

Commit Message

Asherah Connor Feb. 9, 2021, 6:21 a.m. UTC

PE section table entries' SizeOfRawData must be a multiple of
FileAlignment, and thus may be rounded up and larger than their
VirtualSize.

We should not load beyond the VirtualSize, which is "the total size of
the section when loaded into memory" -- we may clobber real data at the
target in some other section, since we load sections in reverse order
and sections are usually laid out sequentially.

Signed-off-by: Asherah Connor <ashe@kivikakk.ee>
CC: Heinrich Schuchardt <xypron.glpk@gmx.de>
---
 lib/efi_loader/efi_image_loader.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/efi_loader/efi_image_loader.c b/lib/efi_loader/efi_image_loader.c
index d4dd9e9433..f53ef367ec 100644
--- a/lib/efi_loader/efi_image_loader.c
+++ b/lib/efi_loader/efi_image_loader.c
@@ -843,7 +843,7 @@  efi_status_t efi_load_pe(struct efi_loaded_image_obj *handle,
 		       sec->Misc.VirtualSize);
 		memcpy(efi_reloc + sec->VirtualAddress,
 		       efi + sec->PointerToRawData,
-		       sec->SizeOfRawData);
+		       min(sec->Misc.VirtualSize, sec->SizeOfRawData));
 	}
 
 	/* Run through relocations */

efi_loader: don't load beyond VirtualSize

Commit Message

Patch