From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 24 Jun 2024 13:25:07 +0000 (+0200)
Subject: pe: be more careful when loading PE section list into memory
X-Git-Tag: v257-rc1~1041^2~30
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4a479597218d40df1097ac882f5db9cc747d0f7f;p=thirdparty%2Fsystemd.git

pe: be more careful when loading PE section list into memory

Let's put a limit on how much memory we'll allocate for the section. And
let's add a safety overflow check.

(This is more a theoretic than a real problem, since on all PE archs
NumberOfSections is 16bit only.)
---

diff --git a/src/boot/efi/pe.c b/src/boot/efi/pe.c
index 829266b7f59..8c5e5f732d5 100644
--- a/src/boot/efi/pe.c
+++ b/src/boot/efi/pe.c
@@ -119,6 +119,8 @@ typedef struct PeSectionHeader {
         uint32_t Characteristics;
 } _packed_ PeSectionHeader;
 
+#define SECTION_TABLE_BYTES_MAX (16U * 1024U * 1024U)
+
 static bool verify_dos(const DosFileHeader *dos) {
         assert(dos);
         return memcmp(dos->Magic, DOS_FILE_MAGIC, STRLEN(DOS_FILE_MAGIC)) == 0;
@@ -309,7 +311,13 @@ EFI_STATUS pe_file_locate_sections(
         if (len != sizeof(pe) || !verify_pe(&pe, /* allow_compatibility= */ false))
                 return EFI_LOAD_ERROR;
 
-        section_table_len = pe.FileHeader.NumberOfSections * sizeof(PeSectionHeader);
+        DISABLE_WARNING_TYPE_LIMITS;
+        if ((size_t) pe.FileHeader.NumberOfSections > SIZE_MAX / sizeof(PeSectionHeader))
+                return EFI_OUT_OF_RESOURCES;
+        REENABLE_WARNING;
+        section_table_len = (size_t) pe.FileHeader.NumberOfSections * sizeof(PeSectionHeader);
+        if (section_table_len > SECTION_TABLE_BYTES_MAX)
+                return EFI_OUT_OF_RESOURCES;
         section_table = xmalloc(section_table_len);
         if (!section_table)
                 return EFI_OUT_OF_RESOURCES;