loader/multiboot_elfxx: Check section header region before allocating memory

In grub-core/loader/multiboot_elfxx.c, space is being allocated for the section
header region, but isn't verifying if the region is within the file's size.
Before calling grub_calloc(), we can add a conditional to check if the section
header region is smaller than the file size.

Fixes: CID 314029
Fixes: CID 314038
Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

diff --git a/grub-core/loader/multiboot_elfxx.c b/grub-core/loader/multiboot_elfxx.c
index 6f3516168608508149e74862584a23224b4fcae7..a81a8d38bda46b0cf353fb566f6d520e555c7caf 100644 (file)
--- a/grub-core/loader/multiboot_elfxx.c
+++ b/grub-core/loader/multiboot_elfxx.c
@@ -248,6 +248,9 @@ CONCAT(grub_multiboot_load_elf, XX) (mbi_load_data_t *mld)
     {
       grub_uint8_t *shdr, *shdrptr;
 
+      if ((grub_off_t) ehdr->e_shoff + shnum * ehdr->e_shentsize > grub_file_size (mld->file))
+       return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("ELF section header region is larger than the file size"));
+
       shdr = grub_calloc (shnum, ehdr->e_shentsize);
       if (!shdr)
        return grub_errno;