[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 0/4] Address coverity untrusted loop bound bugs in multiboot_
|
From: |
Daniel Kiper |
|
Subject: |
Re: [PATCH 0/4] Address coverity untrusted loop bound bugs in multiboot_elfxx.c |
|
Date: |
Tue, 23 May 2023 16:19:18 +0200 |
On Mon, May 22, 2023 at 04:52:45PM -0400, Alec Brown wrote:
> Coverity has listed two untrusted loop bound bugs in
> grub-core/loader/multiboot_elfxx.c. They are CID 314029 and CID 314038. After
> testing the first patch, the CID changed to an untrusted loop bound for line
> 244: shdr = grub_calloc (shnum, ehdr->e_shentsize);. I added a second patch to
> address this, but after making these changes, it reverted to the original bug
> of
> using tainted data in grub_memset(). The third patch addresses Coverity's
> issue
> with phdr() in grub_memset() and reduces the bug to only having an issue with
> using phnum as an untrusted loop bound. However, we can ignore this since
> phnum
> is already getting checked earlier in the function.
>
> I've also bundled a use-after-free patch with this patch set at the end.
>
> Alec Brown (4):
> elf: Check program memory isn't larger than allocated memory size
> elf: Check section header region before allocating memory
> elf: check program header offset doesn't exceed constraints
> efi: Fix use-after-free in finish boot services
For all the patches Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>...
Thank you for fixing these issues!
Daniel