From: Luca Boccassi Date: Fri, 26 Jun 2026 19:12:36 +0000 (+0100) Subject: boot: bound PE section VirtualSize before zeroing the inner kernel X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=feeba8fa3b77ae3e8f0c2bedda94e4dab23d85c7;p=thirdparty%2Fsystemd.git boot: bound PE section VirtualSize before zeroing the inner kernel The inner-kernel section loader checks VirtualAddress + SizeOfRawData against kernel_size_in_memory (for the memcpy), but the memzero right after it clears up to VirtualAddress + VirtualSize, and VirtualSize is only constrained to be >= SizeOfRawData. Reject a VirtualAddress + VirtualSize that overflows or exceeds kernel_size_in_memory, mirroring the existing SizeOfRawData checks. Follow-up for cab9c7b5a42effa8a45611fc6b8556138c869b5f --- diff --git a/src/boot/linux.c b/src/boot/linux.c index bd71ada4835..d1da46ed4af 100644 --- a/src/boot/linux.c +++ b/src/boot/linux.c @@ -289,6 +289,10 @@ EFI_STATUS linux_exec( return log_error_status(EFI_LOAD_ERROR, "Section would write outside of memory"); if (h->SizeOfRawData > h->VirtualSize) return log_error_status(EFI_LOAD_ERROR, "Invalid PE section, raw data size is greater than virtual size"); + if (UINT32_MAX - h->VirtualAddress < h->VirtualSize) + return log_error_status(EFI_LOAD_ERROR, "Invalid PE section, VirtualSize + VirtualAddress overflows"); + if (h->VirtualAddress + h->VirtualSize > kernel_size_in_memory) + return log_error_status(EFI_LOAD_ERROR, "Section virtual size would write outside of memory"); if (UINT32_MAX - h->PointerToRawData < h->SizeOfRawData) return log_error_status(EFI_LOAD_ERROR, "Invalid PE section, PointerToRawData + SizeOfRawData overflows"); if (h->PointerToRawData + h->SizeOfRawData > kernel->iov_len)