[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH v7 2/2] x86/boot: Improve MBI2 structure check

To: xen-devel@xxxxxxxxxxxxxxxxxxxx
From: Frediano Ziglio <frediano.ziglio@xxxxxxxxx>
Date: Tue, 1 Oct 2024 11:22:39 +0100
Cc: Frediano Ziglio <frediano.ziglio@xxxxxxxxx>, "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>, Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>
Delivery-date: Tue, 01 Oct 2024 10:22:57 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Tag structure should contain at least the tag header.
Entire tag structure must be contained inside MBI2 data.

Signed-off-by: Frediano Ziglio <frediano.ziglio@xxxxxxxxx>
---
Changes since v6:
- compare against total_size every time to avoid overflows.
---
 xen/arch/x86/efi/mbi2.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/xen/arch/x86/efi/mbi2.c b/xen/arch/x86/efi/mbi2.c
index 55a1777483..935f3ae5d0 100644
--- a/xen/arch/x86/efi/mbi2.c
+++ b/xen/arch/x86/efi/mbi2.c
@@ -13,6 +13,7 @@ efi_multiboot2_prelude(uint32_t magic, const 
multiboot2_fixed_t *mbi)
     EFI_HANDLE ImageHandle = NULL;
     EFI_SYSTEM_TABLE *SystemTable = NULL;
     const char *cmdline = NULL;
+    const void *const mbi_raw = (const void *)mbi;
     bool have_bs = false;
 
     if ( magic != MULTIBOOT2_BOOTLOADER_MAGIC )
@@ -21,7 +22,9 @@ efi_multiboot2_prelude(uint32_t magic, const 
multiboot2_fixed_t *mbi)
     /* Skip Multiboot2 information fixed part. */
     tag = _p(ROUNDUP((unsigned long)(mbi + 1), MULTIBOOT2_TAG_ALIGN));
 
-    for ( ; (const void *)tag - (const void *)mbi < mbi->total_size &&
+    for ( ; (const void *)(tag + 1) - mbi_raw <= mbi->total_size &&
+            tag->size >= sizeof(*tag) &&
+            (const void *)tag + tag->size - mbi_raw <= mbi->total_size &&
             tag->type != MULTIBOOT2_TAG_TYPE_END;
           tag = _p(ROUNDUP((unsigned long)tag + tag->size,
                    MULTIBOOT2_TAG_ALIGN)) )
-- 
2.34.1

Follow-Ups:
- Re: [PATCH v7 2/2] x86/boot: Improve MBI2 structure check
  - From: Jan Beulich

References:
- [PATCH v7 0/2] x86/boot: Reduce assembly code
  - From: Frediano Ziglio

Prev by Date: [PATCH v7 1/2] x86/boot: Rewrite EFI/MBI2 code partly in C
Next by Date: Re: [PATCH 2/2] x86/pv: Handle #PF correctly when reading the IO permission bitmap
Previous by thread: Re: [PATCH v7 1/2] x86/boot: Rewrite EFI/MBI2 code partly in C
Next by thread: Re: [PATCH v7 2/2] x86/boot: Improve MBI2 structure check
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.