From 78bc9a9b2bd812c32a0f9773d30a5ed46ba568a5 Mon Sep 17 00:00:00 2001 From: Alec Brown Date: Mon, 22 May 2023 16:52:48 -0400 Subject: [PATCH] loader/multiboot_elfxx: Check program header offset doesn't exceed constraints In grub-core/loader/multiboot_elfxx.c, we need to make sure that the program header offset is less than the file size along with the MULTIBOOT_SEARCH constant. We can do so by setting the variable phlimit to the minimum value of the two limits and check it each time we change program header index to insure that the program header offset isn't outside of the limits. Fixes: CID 314029 Fixes: CID 314038 Signed-off-by: Alec Brown Reviewed-by: Daniel Kiper --- grub-core/loader/multiboot_elfxx.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/grub-core/loader/multiboot_elfxx.c b/grub-core/loader/multiboot_elfxx.c index a81a8d38b..1edad0594 100644 --- a/grub-core/loader/multiboot_elfxx.c +++ b/grub-core/loader/multiboot_elfxx.c @@ -70,6 +70,7 @@ CONCAT(grub_multiboot_load_elf, XX) (mbi_load_data_t *mld) grub_uint32_t load_offset = 0, load_size = 0; Elf_Shnum shnum; Elf_Word shstrndx, phnum; + grub_off_t phlimit; unsigned int i; void *source = NULL; @@ -100,7 +101,8 @@ CONCAT(grub_multiboot_load_elf, XX) (mbi_load_data_t *mld) return err; /* FIXME: Should we support program headers at strange locations? */ - if (ehdr->e_phoff + phnum * ehdr->e_phentsize > MULTIBOOT_SEARCH) + phlimit = grub_min (MULTIBOOT_SEARCH, grub_file_size (mld->file)); + if ((grub_off_t) ehdr->e_phoff + phnum * ehdr->e_phentsize > phlimit) return grub_error (GRUB_ERR_BAD_OS, "program header at a too high offset"); phdr_base = (char *) mld->buffer + ehdr->e_phoff;