1 Star 0 Fork 59

hzero1996/shim

forked from src-openEuler/shim 
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
文件
该仓库未声明开源许可证文件(LICENSE),使用请关注具体项目描述及其代码上游依赖。
克隆/下载
backport-CVE-2023-40550-pe-Fix-an-out-of-bound-read-in-verify.patch 1.52 KB
一键复制 编辑 原始数据 按行查看 历史
From 93ce2552f3e9f71f888a672913bfc0eef255c56d Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Thu, 27 Jul 2023 14:57:32 -0400
Subject: [PATCH] CVE-2023-40550 pe: Fix an out-of-bound read in
verify_buffer_sbat()
In verify_buffer_sbat(), we have a goal-seeking loop to find the .sbat
section header. Unfortunately, while the actual contents of the section
are checked for being inside the binary, no such check exists for the
contents of the section table entry.
As a result, a carefully constructed binary will cause an out-of-bounds
read checking if the section name is ".sbat\0\0\0" or not.
This patch adds a check that each section table entry is within the
bounds of the binary.
It's not currently known if this is actually exploitable beyond creating
a denial of service, and an attacker who is in a position to use it for
a denial of service attack must already be able to do so.
Resolves: CVE-2023-40550
Reported-by: gkirkpatrick@google.com
Signed-off-by: Peter Jones <pjones@redhat.com>
---
shim.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/shim.c b/shim.c
index 01e5e56..3a97067 100644
--- a/shim.c
+++ b/shim.c
@@ -709,6 +709,11 @@ verify_buffer_sbat (char *data, int datasize,
Section = context->FirstSection;
for (i = 0; i < context->NumberOfSections; i++, Section++) {
+ if ((uint64_t)&Section[1] > (uint64_t)data + datasize) {
+ perror(L"Section exceeds bounds of image\n");
+ return EFI_UNSUPPORTED;
+ }
+
if (CompareMem(Section->Name, ".sbat\0\0\0", 8) != 0)
continue;
--
2.33.0
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化
1
https://gitee.com/hzero1996/shim.git
git@gitee.com:hzero1996/shim.git
hzero1996
shim
shim
master

搜索帮助