[PATCH 1/4] elf: Check program memory isn't larger than allocated memory

grub-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH 1/4] elf: Check program memory isn't larger than allocated memory

From:	Alec Brown
Subject:	[PATCH 1/4] elf: Check program memory isn't larger than allocated memory size
Date:	Mon, 22 May 2023 16:52:46 -0400

In grub-core/loader/multiboot_elfxx.c, the code is filling an area of memory
with grub_memset() but doesn't check if there is space in the allocated memory
before doing so. To make sure we aren't zeroing memory past the allocated memory
region, we need to check that the offset into the allocated memory region plus
the memory size of the program is smaller than the allocated memory size.

Fixes: CID 314029
Fixes: CID 314038

Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
---
 grub-core/loader/multiboot_elfxx.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/grub-core/loader/multiboot_elfxx.c 
b/grub-core/loader/multiboot_elfxx.c
index e067d2d84..69f567588 100644
--- a/grub-core/loader/multiboot_elfxx.c
+++ b/grub-core/loader/multiboot_elfxx.c
@@ -67,7 +67,7 @@ CONCAT(grub_multiboot_load_elf, XX) (mbi_load_data_t *mld)
   char *phdr_base;
   grub_err_t err;
   grub_relocator_chunk_t ch;
-  grub_uint32_t load_offset = 0, load_size;
+  grub_uint32_t load_offset = 0, load_size = 0;
   Elf_Shnum shnum;
   Elf_Word shstrndx, phnum;
   unsigned int i;
@@ -170,8 +170,9 @@ CONCAT(grub_multiboot_load_elf, XX) (mbi_load_data_t *mld)
            }
          else
            {
+             load_size = phdr(i)->p_memsz;
              err = grub_relocator_alloc_chunk_addr (GRUB_MULTIBOOT 
(relocator), &ch,
-                                                    phdr(i)->p_paddr, 
phdr(i)->p_memsz);
+                                                    phdr(i)->p_paddr, 
load_size);
 
              if (err != GRUB_ERR_NONE)
                {
@@ -199,8 +200,14 @@ CONCAT(grub_multiboot_load_elf, XX) (mbi_load_data_t *mld)
            }
 
           if (phdr(i)->p_filesz < phdr(i)->p_memsz)
-            grub_memset ((grub_uint8_t *) source + load_offset + 
phdr(i)->p_filesz, 0,
-                        phdr(i)->p_memsz - phdr(i)->p_filesz);
+           {
+             /* Need to insure that the memory being set isn't larger than the 
allocated memory*/
+             if (load_offset + phdr(i)->p_memsz - phdr(i)->p_filesz > 
load_size)
+               return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("memory being set 
is larger than allocated memory"));
+
+              grub_memset ((grub_uint8_t *) source + load_offset + 
phdr(i)->p_filesz, 0,
+                          phdr(i)->p_memsz - phdr(i)->p_filesz);
+           }
         }
     }
 
-- 
2.27.0

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH 0/4] Address coverity untrusted loop bound bugs in multiboot_elfxx.c, Alec Brown, 2023/05/22
- [PATCH 3/4] elf: check program header offset doesn't exceed constraints, Alec Brown, 2023/05/22
- [PATCH 4/4] efi: Fix use-after-free in finish boot services, Alec Brown, 2023/05/22
- [PATCH 1/4] elf: Check program memory isn't larger than allocated memory size, Alec Brown <=
- [PATCH 2/4] elf: Check section header region before allocating memory, Alec Brown, 2023/05/22
- Re: [PATCH 0/4] Address coverity untrusted loop bound bugs in multiboot_elfxx.c, Daniel Kiper, 2023/05/23

Prev by Date: [PATCH 4/4] efi: Fix use-after-free in finish boot services
Next by Date: [PATCH 2/4] elf: Check section header region before allocating memory
Previous by thread: [PATCH 4/4] efi: Fix use-after-free in finish boot services
Next by thread: [PATCH 2/4] elf: Check section header region before allocating memory
Index(es):
- Date
- Thread