On Thu, Mar 09, 2023 at 02:43:59PM -0500, Alec Brown wrote: > In grub-module-verifierXX.c, the function grub_module_verifyXX() performs an > initial check that the ELF section headers are within the module's size, but > doesn't check if the sections being accessed have contents that are within the > module's size. In particular, we need to check that sh_offset and sh_size are > less than the module's size. However, for some section header types we don't > need to make these checks. For the type SHT_NULL, the section header is marked > as inactive and the rest of the members within the section header have > undefined > values, so we don't need to check for sh_offset or sh_size. In the case of the > type SHT_NOBITS, sh_offset has a conceptual offset which may be beyond the > module size. Also, this type's sh_size may have a non-zero size, but a section > of this type will take up no space in the module. This can all be checked in > the > function get_shdr(), but in order to do so, the parameter module_size must be > added to functions so that the value of the module size can be used in > get_shdr() from grub_module_verifyXX(). > > Also, had to rework some for loops to ensure the index passed to get_shdr() is > within bounds. > > Signed-off-by: Alec Brown <alec.r.br...@oracle.com>
Reviewed-by: Daniel Kiper <daniel.ki...@oracle.com> Daniel _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel