From: Vladimir Serbinenko <phcoder@gmail.com>
Date: Sun, 8 Nov 2015 19:34:30 +0000 (+0100)
Subject: cbfs: Check for ptr range sanity.
X-Git-Tag: 2.02-beta3~187
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=855fe6869cc4407569513a231f2a01cb8215e77f;p=thirdparty%2Fgrub.git

cbfs: Check for ptr range sanity.

Triaged by Andrei and enhanced with suggestions by Aaron Durbin
Also-By: Andrei Borzenkov <arvidjaar@gmail.com>
---

diff --git a/grub-core/fs/cbfs.c b/grub-core/fs/cbfs.c
index a34eb88cb..5fc9c0147 100644
--- a/grub-core/fs/cbfs.c
+++ b/grub-core/fs/cbfs.c
@@ -344,8 +344,16 @@ init_cbfsdisk (void)
 
   ptr = *(grub_uint32_t *) 0xfffffffc;
   head = (struct cbfs_header *) (grub_addr_t) ptr;
-
-  if (!validate_head (head))
+  grub_dprintf ("cbfs", "head=%p\n", head);
+
+  /* coreboot current supports only ROMs <= 16 MiB. Bigger ROMs will
+     have problems as RCBA is 18 MiB below end of 32-bit typically,
+     so either memory map would have to be rearranged or we'd need to support
+     reading ROMs through controller directly.
+   */
+  if (ptr < 0xff000000
+      || 0xffffffff - ptr < sizeof (*head) + 0x10
+      || !validate_head (head))
     return;
 
   cbfsdisk_size = ALIGN_UP (grub_be_to_cpu32 (head->romsize),