On Mon, May 22, 2023 at 04:52:45PM -0400, Alec Brown wrote: > Coverity has listed two untrusted loop bound bugs in > grub-core/loader/multiboot_elfxx.c. They are CID 314029 and CID 314038. After > testing the first patch, the CID changed to an untrusted loop bound for line > 244: shdr = grub_calloc (shnum, ehdr->e_shentsize);. I added a second patch to > address this, but after making these changes, it reverted to the original bug > of > using tainted data in grub_memset(). The third patch addresses Coverity's > issue > with phdr() in grub_memset() and reduces the bug to only having an issue with > using phnum as an untrusted loop bound. However, we can ignore this since > phnum > is already getting checked earlier in the function. > > I've also bundled a use-after-free patch with this patch set at the end. > > Alec Brown (4): > elf: Check program memory isn't larger than allocated memory size > elf: Check section header region before allocating memory > elf: check program header offset doesn't exceed constraints > efi: Fix use-after-free in finish boot services
For all the patches Reviewed-by: Daniel Kiper <daniel.ki...@oracle.com>... Thank you for fixing these issues! Daniel _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel