| From 93ce2552f3e9f71f888a672913bfc0eef255c56d Mon Sep 17 00:00:00 2001 |
| From: Peter Jones <pjones@redhat.com> |
| Date: Thu, 27 Jul 2023 14:57:32 -0400 |
| Subject: [PATCH] CVE-2023-40550 pe: Fix an out-of-bound read in |
| verify_buffer_sbat() |
| |
| In verify_buffer_sbat(), we have a goal-seeking loop to find the .sbat |
| section header. Unfortunately, while the actual contents of the section |
| are checked for being inside the binary, no such check exists for the |
| contents of the section table entry. |
| |
| As a result, a carefully constructed binary will cause an out-of-bounds |
| read checking if the section name is ".sbat\0\0\0" or not. |
| |
| This patch adds a check that each section table entry is within the |
| bounds of the binary. |
| |
| It's not currently known if this is actually exploitable beyond creating |
| a denial of service, and an attacker who is in a position to use it for |
| a denial of service attack must already be able to do so. |
| |
| Resolves: CVE-2023-40550 |
| Reported-by: gkirkpatrick@google.com |
| Signed-off-by: Peter Jones <pjones@redhat.com> |
| --- |
| shim.c | 5 +++++ |
| 1 file changed, 5 insertions(+) |
| |
| diff --git a/shim.c b/shim.c |
| index 01e5e5608..3a97067b2 100644 |
| --- a/shim.c |
| +++ b/shim.c |
| @@ -709,6 +709,11 @@ verify_buffer_sbat (char *data, int datasize, |
| |
| Section = context->FirstSection; |
| for (i = 0; i < context->NumberOfSections; i++, Section++) { |
| + if ((uint64_t)&Section[1] > (uint64_t)data + datasize) { |
| + perror(L"Section exceeds bounds of image\n"); |
| + return EFI_UNSUPPORTED; |
| + } |
| + |
| if (CompareMem(Section->Name, ".sbat\0\0\0", 8) != 0) |
| continue; |
| |