]> git.ipfire.org Git - thirdparty/systemd.git/commitdiff
boot: bound PE section VirtualSize before zeroing the inner kernel
authorLuca Boccassi <luca.boccassi@gmail.com>
Fri, 26 Jun 2026 19:12:36 +0000 (20:12 +0100)
committerLuca Boccassi <luca.boccassi@gmail.com>
Fri, 3 Jul 2026 14:19:39 +0000 (15:19 +0100)
The inner-kernel section loader checks VirtualAddress + SizeOfRawData
against kernel_size_in_memory (for the memcpy), but the memzero right
after it clears up to VirtualAddress + VirtualSize, and VirtualSize is
only constrained to be >= SizeOfRawData.

Reject a VirtualAddress + VirtualSize that overflows or exceeds
kernel_size_in_memory, mirroring the existing SizeOfRawData checks.

Follow-up for cab9c7b5a42effa8a45611fc6b8556138c869b5f

src/boot/linux.c

index bd71ada48358c84b806367a4e9de81240fde5e52..d1da46ed4afd3b8065da27e397d9cbcd21355c39 100644 (file)
@@ -289,6 +289,10 @@ EFI_STATUS linux_exec(
                         return log_error_status(EFI_LOAD_ERROR, "Section would write outside of memory");
                 if (h->SizeOfRawData > h->VirtualSize)
                         return log_error_status(EFI_LOAD_ERROR, "Invalid PE section, raw data size is greater than virtual size");
+                if (UINT32_MAX - h->VirtualAddress < h->VirtualSize)
+                        return log_error_status(EFI_LOAD_ERROR, "Invalid PE section, VirtualSize + VirtualAddress overflows");
+                if (h->VirtualAddress + h->VirtualSize > kernel_size_in_memory)
+                        return log_error_status(EFI_LOAD_ERROR, "Section virtual size would write outside of memory");
                 if (UINT32_MAX - h->PointerToRawData < h->SizeOfRawData)
                         return log_error_status(EFI_LOAD_ERROR, "Invalid PE section, PointerToRawData + SizeOfRawData overflows");
                 if (h->PointerToRawData + h->SizeOfRawData > kernel->iov_len)