]> git.ipfire.org Git - thirdparty/ipxe.git/commitdiff
projects / thirdparty / ipxe.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c315ae0)
[romprefix] Use correct size for PMM allocation of image source block
authorMichael Brown <mcb30@ipxe.org>
Tue, 15 Mar 2011 01:52:58 +0000 (01:52 +0000)
committerMichael Brown <mcb30@ipxe.org>
Tue, 15 Mar 2011 02:07:22 +0000 (02:07 +0000)
iPXE allocates its first PMM block using the image source length,
which is rounded up to the nearest 16-byte paragraph.  It then copies
in data of a length calculated from the ROM size, which is
theoretically less than or equal to the image source length, but is
rounded up to the nearest 512-byte sector.  This can result in copying
beyond the end of the allocated PMM block, which can corrupt the PMM
data structures (and other essentially arbitrary areas of memory).

Fix by rounding up the image source length to the nearest 512-byte
sector before using it as the PMM allocation length.

Reported-by: Alex Williamson <alex.williamson@redhat.com>
Reported-by: Jarrod Johnson <jarrod.b.johnson@gmail.com>
Reported-by: Itay Gazit <itayg@mellanox.co.il>
Signed-off-by: Michael Brown <mcb30@ipxe.org>
src/arch/i386/prefix/romprefix.S patch | blob | blame | history

diff --git a/src/arch/i386/prefix/romprefix.S b/src/arch/i386/prefix/romprefix.S
index ede0fb425cf936826360497aef0ef790b3d78927..dd602ddb7108fb6afa0805a312208dd830437bd1 100644 (file)
--- a/src/arch/i386/prefix/romprefix.S
+++ b/src/arch/i386/prefix/romprefix.S
@@ -320,7 +320,8 @@ pmm_scan:
        /* We have PMM and so a 1kB stack: preserve whole registers */
        pushal
        /* Allocate image source PMM block */
-       movzwl  image_source_len_pgh, %ecx
+       movzwl  image_source_size, %ecx
+       shll    $5, %ecx
        movl    $PMM_HANDLE_BASE_IMAGE_SOURCE, %ebx
        movw    $get_pmm_image_source, %bp
        call    get_pmm
@@ -565,16 +566,16 @@ image_source:
        .long   0
        .size   image_source, . - image_source
 
-/* Image source area length (in paragraphs)
+/* Image source size (in 512-byte sectors)
  *
  */
-image_source_len_pgh:
+image_source_size:
        .word   0
-       .size   image_source_len_pgh, . - image_source_len_pgh
+       .size   image_source_size, . - image_source_size
        .section ".zinfo.fixup", "a", @progbits /* Compressor fixups */
        .ascii  "ADDW"
-       .long   image_source_len_pgh
-       .long   16
+       .long   image_source_size
+       .long   512
        .long   0
        .previous
 
Mirror of https://github.com/ipxe/ipxe.git