From: Alec Brown <alec.r.brown@oracle.com>
Date: Mon, 22 May 2023 20:52:47 +0000 (-0400)
Subject: loader/multiboot_elfxx: Check section header region before allocating memory
X-Git-Tag: grub-2.12-rc1~60
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c8cf8272f4a8b664585eaecefe55a363b8e41765;p=thirdparty%2Fgrub.git

loader/multiboot_elfxx: Check section header region before allocating memory

In grub-core/loader/multiboot_elfxx.c, space is being allocated for the section
header region, but isn't verifying if the region is within the file's size.
Before calling grub_calloc(), we can add a conditional to check if the section
header region is smaller than the file size.

Fixes: CID 314029
Fixes: CID 314038

Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---

diff --git a/grub-core/loader/multiboot_elfxx.c b/grub-core/loader/multiboot_elfxx.c
index 6f3516168..a81a8d38b 100644
--- a/grub-core/loader/multiboot_elfxx.c
+++ b/grub-core/loader/multiboot_elfxx.c
@@ -248,6 +248,9 @@ CONCAT(grub_multiboot_load_elf, XX) (mbi_load_data_t *mld)
     {
       grub_uint8_t *shdr, *shdrptr;
 
+      if ((grub_off_t) ehdr->e_shoff + shnum * ehdr->e_shentsize > grub_file_size (mld->file))
+	return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("ELF section header region is larger than the file size"));
+
       shdr = grub_calloc (shnum, ehdr->e_shentsize);
       if (!shdr)
 	return grub_errno;