|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [xen staging] x86/boot: Improve MBI2 structure check
commit 47990ecef286606794d607d4ca8703d71c98d659
Author: Frediano Ziglio <frediano.ziglio@xxxxxxxxx>
AuthorDate: Tue Oct 15 09:25:13 2024 +0100
Commit: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Tue Oct 15 18:22:07 2024 +0100
x86/boot: Improve MBI2 structure check
Tag structure should contain at least the tag header.
Entire tag structure must be contained inside MBI2 data.
Signed-off-by: Frediano Ziglio <frediano.ziglio@xxxxxxxxx>
Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
Acked-by: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>
---
xen/arch/x86/efi/mbi2.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/xen/arch/x86/efi/mbi2.c b/xen/arch/x86/efi/mbi2.c
index 55a1777483..d2f0f0ee61 100644
--- a/xen/arch/x86/efi/mbi2.c
+++ b/xen/arch/x86/efi/mbi2.c
@@ -13,6 +13,7 @@ efi_multiboot2_prelude(uint32_t magic, const
multiboot2_fixed_t *mbi)
EFI_HANDLE ImageHandle = NULL;
EFI_SYSTEM_TABLE *SystemTable = NULL;
const char *cmdline = NULL;
+ const void *const mbi_raw = (const void *)mbi;
bool have_bs = false;
if ( magic != MULTIBOOT2_BOOTLOADER_MAGIC )
@@ -21,8 +22,10 @@ efi_multiboot2_prelude(uint32_t magic, const
multiboot2_fixed_t *mbi)
/* Skip Multiboot2 information fixed part. */
tag = _p(ROUNDUP((unsigned long)(mbi + 1), MULTIBOOT2_TAG_ALIGN));
- for ( ; (const void *)tag - (const void *)mbi < mbi->total_size &&
- tag->type != MULTIBOOT2_TAG_TYPE_END;
+ for ( ; (const void *)(tag + 1) - mbi_raw <= mbi->total_size &&
+ tag->type != MULTIBOOT2_TAG_TYPE_END &&
+ tag->size >= sizeof(*tag) &&
+ (const void *)tag + tag->size - mbi_raw <= mbi->total_size;
tag = _p(ROUNDUP((unsigned long)tag + tag->size,
MULTIBOOT2_TAG_ALIGN)) )
{
--
generated by git-patchbot for /home/xen/git/xen.git#staging
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |