If the CBFS header is invalid and points to 0xffffffff it could cause SeaBIOS to read past the 4GB boundary and cause an exception. Check the alignment of the header pointer before attempting to access fields within the header.
Reported-by: "Alex G." mr.nuke.me@gmail.com Signed-off-by: Kevin O'Connor kevin@koconnor.net --- src/fw/coreboot.c | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/src/fw/coreboot.c b/src/fw/coreboot.c index 3b9df14..4fe1292 100644 --- a/src/fw/coreboot.c +++ b/src/fw/coreboot.c @@ -421,6 +421,10 @@ coreboot_cbfs_init(void) return;
struct cbfs_header *hdr = *(void **)(CONFIG_CBFS_LOCATION - 4); + if ((u32)hdr & 0x03) { + dprintf(1, "Invalid CBFS pointer %p\n", hdr); + return; + } if (CONFIG_CBFS_LOCATION && (u32)hdr > CONFIG_CBFS_LOCATION) // Looks like the pointer is relative to CONFIG_CBFS_LOCATION hdr = (void*)hdr + CONFIG_CBFS_LOCATION;
On Tue, Jan 12, 2016 at 01:40:18PM -0500, Kevin O'Connor wrote:
If the CBFS header is invalid and points to 0xffffffff it could cause SeaBIOS to read past the 4GB boundary and cause an exception. Check the alignment of the header pointer before attempting to access fields within the header.
FYI, I committed this change.
-Kevin
-
Kevin O'Connor