Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE
tboot.15837
tboot-Add-more-mbi-validation.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File tboot-Add-more-mbi-validation.patch of Package tboot.15837
From d5ed71429de8a3462fef9708a96e6feca1b04d63 Mon Sep 17 00:00:00 2001 From: Lukasz Hawrylko <lukasz.hawrylko@intel.com> Date: Mon, 7 Sep 2020 15:39:55 +0200 Subject: [PATCH] Add more mbi validation Signed-off-by: Lukasz Hawrylko <lukasz.hawrylko@intel.com> --- tboot/common/efi_memmap.c | 17 +++++++++++------ tboot/common/loader.c | 9 ++++++++- tboot/common/policy.c | 5 +++++ 3 files changed, 24 insertions(+), 7 deletions(-) diff --git a/tboot/common/efi_memmap.c b/tboot/common/efi_memmap.c index 38c2293..2ebe444 100644 --- a/tboot/common/efi_memmap.c +++ b/tboot/common/efi_memmap.c @@ -65,12 +65,17 @@ bool efi_memmap_copy(loader_ctx *lctx) return false; } - efi_mmap->size = mmap_size; - efi_mmap->descr_size = descr_size; - memcpy(efi_mmap->descr, (void*)descr_addr, mmap_size); - efi_mmap_available = true; + if (mmap_size < TBOOT_EFI_MEMMAP_COPY_SIZE - offsetof(efi_memmap_t, descr)) { + efi_mmap->size = mmap_size; + efi_mmap->descr_size = descr_size; + memcpy(efi_mmap->descr, (void*)descr_addr, mmap_size); + efi_mmap_available = true; + return true; + } else { + printk(TBOOT_WARN"Too many entries in EFI memory map\n"); + return false; + } - return true; } /** @@ -304,7 +309,7 @@ bool efi_memmap_get_highest_sized_ram(uint64_t size, uint64_t limit, } printk("get_highest_sized_ram: size %llx -> base %llx, size %llx\n", - size, *ram_base, *ram_size); + size, last_fit_base, last_fit_size); if (last_fit_size == 0) { return false; diff --git a/tboot/common/loader.c b/tboot/common/loader.c index c96e098..4a302e8 100644 --- a/tboot/common/loader.c +++ b/tboot/common/loader.c @@ -289,8 +289,15 @@ bool verify_loader_context(loader_ctx *lctx) if (count < 1){ printk(TBOOT_ERR"Error: no MB%d modules\n", lctx->type); return false; - } else + } else { + for (uint32_t i = 0; i < count; ++i) { + module_t *m = get_module(lctx, i); + if (m->mod_end < m->mod_start) { + return false; + } + } return true; + } } static bool remove_mb2_tag(loader_ctx *lctx, struct mb2_tag *cur) diff --git a/tboot/common/policy.c b/tboot/common/policy.c index b3adc04..bc7c695 100644 --- a/tboot/common/policy.c +++ b/tboot/common/policy.c @@ -819,6 +819,11 @@ static void verify_g_policy(void) void verify_all_modules(loader_ctx *lctx) { + if (!verify_loader_context(lctx)) { + printk(TBOOT_ERR"Error: Invalid loader context\n"); + apply_policy(TB_ERR_FATAL); + } + /* assumes mbi is valid */ verify_g_policy(); -- 2.26.2
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor