boot: clamp setup header copy size to sizeof(SetupHeader)

The setup_size field from the kernel image header is used as part
of the memcpy size. Clamp it to sizeof(SetupHeader) to ensure the
copy does not read beyond the struct bounds even if the kernel
image header contains an unexpected value.

CID#1549197

Follow-up for d62c1777568ff69034fd5b5d582a2889229f7e20

diff --git a/src/boot/linux_x86.c b/src/boot/linux_x86.c
index cf9707a6cfd7ab405bec2db8662783f2ba6668d7..349e3fb26c01b5206e6a8151c70251a48b4b18ec 100644 (file)
--- a/src/boot/linux_x86.c
+++ b/src/boot/linux_x86.c
@@ -195,9 +195,14 @@ EFI_STATUS linux_exec_efi_handover(
 
         /* Setup size is determined by offset 0x0202 + byte value at offset 0x0201, which is the same as
          * offset of the header field and the target from the jump field (which we split for this reason). */
+        size_t setup_hdr_len;
+        if (!ADD_SAFE(&setup_hdr_len, offsetof(SetupHeader, header), image_params->hdr.setup_size))
+                setup_hdr_len = sizeof(SetupHeader);
+        else
+                setup_hdr_len = MIN(setup_hdr_len, sizeof(SetupHeader));
         memcpy(&boot_params->hdr,
                &image_params->hdr,
-               offsetof(SetupHeader, header) + image_params->hdr.setup_size);
+               setup_hdr_len);
 
         boot_params->hdr.type_of_loader = 0xff;