cbfs: Check for ptr range sanity.

Triaged by Andrei and enhanced with suggestions by Aaron Durbin
Also-By: Andrei Borzenkov <arvidjaar@gmail.com>

diff --git a/grub-core/fs/cbfs.c b/grub-core/fs/cbfs.c
index a34eb88cba5e84239dde1a0c23fe1fa0ed546c0c..5fc9c0147c42f933c11433c06d5309f58cd8e4ea 100644 (file)
--- a/grub-core/fs/cbfs.c
+++ b/grub-core/fs/cbfs.c
@@ -344,8 +344,16 @@ init_cbfsdisk (void)
 
   ptr = *(grub_uint32_t *) 0xfffffffc;
   head = (struct cbfs_header *) (grub_addr_t) ptr;
-
-  if (!validate_head (head))
+  grub_dprintf ("cbfs", "head=%p\n", head);
+
+  /* coreboot current supports only ROMs <= 16 MiB. Bigger ROMs will
+     have problems as RCBA is 18 MiB below end of 32-bit typically,
+     so either memory map would have to be rearranged or we'd need to support
+     reading ROMs through controller directly.
+   */
+  if (ptr < 0xff000000
+      || 0xffffffff - ptr < sizeof (*head) + 0x10
+      || !validate_head (head))
     return;
 
   cbfsdisk_size = ALIGN_UP (grub_be_to_cpu32 (head->romsize),