Sergii Dmytruk has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/84541?usp=email )
Change subject: drivers/efi/capsules.c: check for overflows ......................................................................
drivers/efi/capsules.c: check for overflows
Change-Id: I43d17d77197fc2cbd721d47941101551603c352a Signed-off-by: Sergii Dmytruk sergii.dmytruk@3mdeb.com --- M src/drivers/efi/capsules.c 1 file changed, 20 insertions(+), 1 deletion(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/41/84541/1
diff --git a/src/drivers/efi/capsules.c b/src/drivers/efi/capsules.c index e674e33..cf15c3c 100644 --- a/src/drivers/efi/capsules.c +++ b/src/drivers/efi/capsules.c @@ -344,7 +344,20 @@ goto error; }
- data_size += ALIGN_UP(capsule_hdr->CapsuleImageSize, CAPSULE_ALIGNMENT); + uint32_t capsule_size = + ALIGN_UP(capsule_hdr->CapsuleImageSize, CAPSULE_ALIGNMENT); + if (capsule_size == 0) { + printk(BIOS_ERR, "capsules: capsule's size is too large (%#x).\n", + capsule_hdr->CapsuleImageSize); + goto error; + } + if (data_size + capsule_size < data_size) { + printk(BIOS_ERR, + "capsules: capsules' size is too large (%#llx + %#x).\n", + data_size, capsule_size); + goto error; + } + data_size += capsule_size;
uint32_t size_left = capsule_hdr->CapsuleImageSize; while (size_left != 0) { @@ -384,6 +397,12 @@ }
/* Increase the size only on successful parsing of the capsule block. */ + if (*total_data_size + data_size < *total_data_size) { + printk(BIOS_ERR, + "capsules: total capsule's size is too large (%#llx + %#llx).\n", + *total_data_size, data_size); + goto error; + } *total_data_size += data_size;
return block;