From 93ce2552f3e9f71f888a672913bfc0eef255c56d Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Thu, 27 Jul 2023 14:57:32 -0400
Subject: [PATCH] CVE-2023-40550 pe: Fix an out-of-bound read in
 verify_buffer_sbat()

In verify_buffer_sbat(), we have a goal-seeking loop to find the .sbat
section header.  Unfortunately, while the actual contents of the section
are checked for being inside the binary, no such check exists for the
contents of the section table entry.

As a result, a carefully constructed binary will cause an out-of-bounds
read checking if the section name is ".sbat\0\0\0" or not.

This patch adds a check that each section table entry is within the
bounds of the binary.

It's not currently known if this is actually exploitable beyond creating
a denial of service, and an attacker who is in a position to use it for
a denial of service attack must already be able to do so.

Resolves: CVE-2023-40550
Reported-by: gkirkpatrick@google.com
Signed-off-by: Peter Jones <pjones@redhat.com>
---
 shim.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/shim.c b/shim.c
index 01e5e56..3a97067 100644
--- a/shim.c
+++ b/shim.c
@@ -709,6 +709,11 @@ verify_buffer_sbat (char *data, int datasize,
 
 	Section = context->FirstSection;
 	for (i = 0; i < context->NumberOfSections; i++, Section++) {
+		if ((uint64_t)&Section[1] > (uint64_t)data + datasize) {
+			perror(L"Section exceeds bounds of image\n");
+			return EFI_UNSUPPORTED;
+		}
+
 		if (CompareMem(Section->Name, ".sbat\0\0\0", 8) != 0)
 			continue;
 
-- 
2.33.0