From: Luca Boccassi Date: Sat, 28 Mar 2026 22:06:51 +0000 (+0000) Subject: boot: clamp setup header copy size to sizeof(SetupHeader) X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a770fb3e14d434ef25f092c2f3293a43448c92cd;p=thirdparty%2Fsystemd.git boot: clamp setup header copy size to sizeof(SetupHeader) The setup_size field from the kernel image header is used as part of the memcpy size. Clamp it to sizeof(SetupHeader) to ensure the copy does not read beyond the struct bounds even if the kernel image header contains an unexpected value. CID#1549197 Follow-up for d62c1777568ff69034fd5b5d582a2889229f7e20 --- diff --git a/src/boot/linux_x86.c b/src/boot/linux_x86.c index cf9707a6cfd..349e3fb26c0 100644 --- a/src/boot/linux_x86.c +++ b/src/boot/linux_x86.c @@ -195,9 +195,14 @@ EFI_STATUS linux_exec_efi_handover( /* Setup size is determined by offset 0x0202 + byte value at offset 0x0201, which is the same as * offset of the header field and the target from the jump field (which we split for this reason). */ + size_t setup_hdr_len; + if (!ADD_SAFE(&setup_hdr_len, offsetof(SetupHeader, header), image_params->hdr.setup_size)) + setup_hdr_len = sizeof(SetupHeader); + else + setup_hdr_len = MIN(setup_hdr_len, sizeof(SetupHeader)); memcpy(&boot_params->hdr, &image_params->hdr, - offsetof(SetupHeader, header) + image_params->hdr.setup_size); + setup_hdr_len); boot_params->hdr.type_of_loader = 0xff;