首页 开源 资讯 活动 开源许可证
软件工程云服务
软件代码质量检测云服务 持续集成与部署云服务 社区个性化内容推荐服务 贡献审阅人推荐服务 群体化学习服务 重睛鸟代码扫描工具
Watch 1 Star 0 Fork 59

陈棋德/shim

forked from src-openEuler/shim 
代码 Issues 0 Pull Requests 0 Wiki 0 统计
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
文件
该仓库未声明开源许可证文件(LICENSE),使用请关注具体项目描述及其代码上游依赖。
项目仓库所选许可证以仓库主分支所使用许可证为准
克隆/下载
backport-CVE-2023-40548-Fix-integer-overflow-on-SBAT-section-.patch 2.49 KB
一键复制 编辑 原始数据 按行查看 历史
jinlun 提交于 2024-01-25 10:28 . fix CVE-2023-40547 CVE-2023-40548 CVE-2023-40549 CVE-2023-40550 CVE-2023-40551
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475
From 96dccc255b16e9465dbee50b3cef6b3db74d11c8 Mon Sep 17 00:00:00 2001

From: Peter Jones <pjones@redhat.com>

Date: Thu, 27 Jul 2023 15:21:31 -0400

Subject: [PATCH] CVE-2023-40548 Fix integer overflow on SBAT section size on

 32-bit system



In verify_sbat_section(), we do some math on data that comes from the

binary being verified - in this case, we add 1 to the size of the

".sbat" section as reported in the section header, which is then used as

the input to the size of an allocation.  The original value is then used

for a size in a memcpy(), which means there's an out-of-bounds write in

the overflow case.



Due to the type of the variable being size_t, but the type in the

section header being uint32_t, this is only plausibly accomplished on

32-bit systems.



This patch makes the arithmetic use a checked add operation to avoid

overflow.  Additionally, it adds a check in verify_buffer_sbat() to

guarantee that the data is within the binary.



It's not currently known if this is actually exploitable on such

systems; the memory layout on a particular machine may further mitigate

this scenario.



Resolves: CVE-2023-40548

Reported-by: gkirkpatrick@google.com

Signed-off-by: Peter Jones <pjones@redhat.com>

---

 pe.c   | 6 +++++-

 shim.c | 6 ++++++

 2 files changed, 11 insertions(+), 1 deletion(-)



diff --git a/pe.c b/pe.c

index e15b89f..b3a9d46 100644

--- a/pe.c

+++ b/pe.c

@@ -355,7 +355,11 @@ verify_sbat_section(char *SBATBase, size_t SBATSize)

 		return in_protocol ? EFI_SUCCESS : EFI_SECURITY_VIOLATION;

 	}

 

-	sbat_size = SBATSize + 1;

+	if (checked_add(SBATSize, 1, &sbat_size)) {

+		dprint(L"SBATSize + 1 would overflow\n");

+		return EFI_SECURITY_VIOLATION;

+	}

+

 	sbat_data = AllocatePool(sbat_size);

 	if (!sbat_data) {

 		console_print(L"Failed to allocate .sbat section buffer\n");

diff --git a/shim.c b/shim.c

index 3fd1e2a..84a98ca 100644

--- a/shim.c

+++ b/shim.c

@@ -743,11 +743,17 @@ verify_buffer_sbat (char *data, int datasize,

 		 * and ignore the section if it isn't. */

 		if (Section->SizeOfRawData &&

 		    Section->SizeOfRawData >= Section->Misc.VirtualSize) {

+			uint64_t boundary;

 			SBATBase = ImageAddress(data, datasize,

 						Section->PointerToRawData);

 			SBATSize = Section->SizeOfRawData;

 			dprint(L"sbat section base:0x%lx size:0x%lx\n",

 			       SBATBase, SBATSize);

+			if (checked_add((uint64_t)SBATBase, SBATSize, &boundary) ||

+			    (boundary > (uint64_t)data + datasize)) {

+				perror(L"Section exceeds bounds of image\n");

+				return EFI_UNSUPPORTED;

+			}

 		}

 	}

 

-- 

2.33.0
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化