Re: [PATCH 16/23] pefile: Parse a PE binary to find a key and a signature contained therein

David Howells Wed, 31 Oct 2012 05:32:07 -0700

Kees Cook <keesc...@chromium.org> wrote:

> Which means this loop will walk past the end of the memory (loop is
> bounded by n_sections, so secs[loop] can go past datalen). While
> data_addr and raw_data_size will stay bounded, the read of sec->name
> can be out of bounds.


Assuming n_sections is checked, sec->name can't be out of bounds because it's
a char array, not a pointer.

> (Also, do you want a "break" in there after the first .keylist is found, or
> is this intentionally "use last key list"?)

Actually, no I don't.  The loop also checks the limits on each section - which
I need to do since I have to individually digest the sections later.

Attached is a patch I'm applying to pefile_parse_binary() to be more rigorous
about the checking of values in the PE binary.

David
---
diff --git a/crypto/asymmetric_keys/pefile_parser.c 
b/crypto/asymmetric_keys/pefile_parser.c
index efae278..fb80cf0 100644
--- a/crypto/asymmetric_keys/pefile_parser.c
+++ b/crypto/asymmetric_keys/pefile_parser.c
@@ -42,8 +42,8 @@ static int pefile_parse_binary(struct key_preparsed_payload 
*prep,
 
 #define chkaddr(base, x, s)                                            \
        do {                                                            \
-               if ((x) < base || (s) >= datalen || (x) > datalen - (s))        
\
-                       return -ERANGE;                                 \
+               if ((x) < base || (s) >= datalen || (x) > datalen - (s)) \
+                       return -ELIBBAD;                                \
        } while(0)
 
        chkaddr(0, 0, sizeof(*mz));
@@ -88,7 +88,13 @@ static int pefile_parse_binary(struct key_preparsed_payload 
*prep,
        pr_devel("checksum @ %x\n", ctx->image_checksum_offset);
        pr_devel("header size = %x\n", ctx->header_size);
 
-       chkaddr(0, cursor, sizeof(*ddir));
+       if (cursor >= ctx->header_size || ctx->header_size >= datalen)
+               return -ELIBBAD;
+
+       if (ctx->n_data_dirents > (ctx->header_size - cursor) / sizeof(*dde) ||
+           ctx->n_data_dirents < sizeof(*ddir) / sizeof(*dde))
+               return -ELIBBAD;
+
        ddir = prep->data + cursor;
        cursor += sizeof(*dde) * ctx->n_data_dirents;
 
@@ -101,7 +107,7 @@ static int pefile_parse_binary(struct key_preparsed_payload 
*prep,
                return -EKEYREJECTED;
        }
 
-       chkaddr(cursor, ddir->certs.virtual_address, ddir->certs.size);
+       chkaddr(ctx->header_size, ddir->certs.virtual_address, 
ddir->certs.size);
        ctx->sig_offset = ddir->certs.virtual_address;
        ctx->sig_len = ddir->certs.size;
        pr_devel("cert = %x @%x [%*ph]\n",
@@ -112,7 +118,8 @@ static int pefile_parse_binary(struct key_preparsed_payload 
*prep,
         * section containing the list of keys.
         */
        ctx->n_sections = pe->sections;
-       chkaddr(0, cursor, sizeof(*sec) * ctx->n_sections);
+       if (ctx->n_sections > (ctx->header_size - cursor) / sizeof(*sec))
+               return -ELIBBAD;
        ctx->secs = secs = prep->data + cursor;
        cursor += sizeof(*sec) * ctx->n_sections;
 
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [PATCH 16/23] pefile: Parse a PE binary to find a key and a signature contained therein

Reply via email to