proxmox-mirrors/efi-boot-shim
1
0
Fork 0
mirror of https://git.proxmox.com/git/efi-boot-shim synced 2025-06-07 08:37:14 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Revert "additional bounds-checking on section sizes"

Browse Source 
This reverts commit 21e40f0174.

In principle I like the idea of what's going on here, but
generate_hash() really does need to have the expected result.
This commit is contained in:
Peter Jones 2013-10-23 10:50:36 -04:00
parent be73f6bd4f
commit 56fb385a17
4 changed files with 33 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Makefile
View File

@ -16,8 +16,7 @@ EFI_LDS = elf_$(ARCH)_efi.lds
DEFAULT_LOADER := \\\\grub.efi DEFAULT_LOADER := \\\\grub.efi
CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
-fshort-wchar -Wall -Wsign-compare -Werror \ -fshort-wchar -Wall -Werror -mno-red-zone -maccumulate-outgoing-args \
-mno-red-zone -maccumulate-outgoing-args \
-mno-mmx -mno-sse -fno-builtin \ -mno-mmx -mno-sse -fno-builtin \
"-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \ "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \
"-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \ "-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \

6
MokManager.c
View File

@ -440,7 +440,7 @@ static EFI_STATUS list_keys (void *KeyList, UINTN KeyListSize, CHAR16 *title)
MokListNode *keys = NULL; MokListNode *keys = NULL;
INTN key_num = 0; INTN key_num = 0;
CHAR16 **menu_strings; CHAR16 **menu_strings;
unsigned int i; int i;
if (KeyListSize < (sizeof(EFI_SIGNATURE_LIST) + if (KeyListSize < (sizeof(EFI_SIGNATURE_LIST) +
sizeof(EFI_SIGNATURE_DATA))) { sizeof(EFI_SIGNATURE_DATA))) {
@ -491,7 +491,7 @@ static EFI_STATUS list_keys (void *KeyList, UINTN KeyListSize, CHAR16 *title)
static UINT8 get_line (UINT32 *length, CHAR16 *line, UINT32 line_max, UINT8 show) static UINT8 get_line (UINT32 *length, CHAR16 *line, UINT32 line_max, UINT8 show)
{ {
EFI_INPUT_KEY key; EFI_INPUT_KEY key;
unsigned int count = 0; int count = 0;
do { do {
key = console_get_keystroke(); key = console_get_keystroke();
@ -640,7 +640,7 @@ static EFI_STATUS match_password (PASSWORD_CRYPT *pw_crypt,
CHAR16 password[PASSWORD_MAX]; CHAR16 password[PASSWORD_MAX];
UINT32 pw_length; UINT32 pw_length;
UINT8 fail_count = 0; UINT8 fail_count = 0;
unsigned int i; int i;
if (pw_crypt) { if (pw_crypt) {
auth_hash = pw_crypt->hash; auth_hash = pw_crypt->hash;

4
PasswordCrypt.c
View File

@ -154,7 +154,7 @@ static EFI_STATUS sha256_crypt (const char *key, UINT32 key_len,
CopyMem(cp, tmp_result, cnt); CopyMem(cp, tmp_result, cnt);
SHA256_Init(&alt_ctx); SHA256_Init(&alt_ctx);
for (cnt = 0; cnt < 16ul + alt_result[0]; ++cnt) for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt)
SHA256_Update(&alt_ctx, salt, salt_size); SHA256_Update(&alt_ctx, salt, salt_size);
SHA256_Final(tmp_result, &alt_ctx); SHA256_Final(tmp_result, &alt_ctx);
@ -242,7 +242,7 @@ static EFI_STATUS sha512_crypt (const char *key, UINT32 key_len,
CopyMem(cp, tmp_result, cnt); CopyMem(cp, tmp_result, cnt);
SHA512_Init(&alt_ctx); SHA512_Init(&alt_ctx);
for (cnt = 0; cnt < 16ul + alt_result[0]; ++cnt) for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt)
SHA512_Update(&alt_ctx, salt, salt_size); SHA512_Update(&alt_ctx, salt, salt_size);
SHA512_Final(tmp_result, &alt_ctx); SHA512_Final(tmp_result, &alt_ctx);

82
shim.c
View File

@ -102,7 +102,7 @@ typedef struct {
/* /*
* Perform basic bounds checking of the intra-image pointers * Perform basic bounds checking of the intra-image pointers
*/ */
static void *ImageAddress (void *image, unsigned int size, unsigned int address) static void *ImageAddress (void *image, int size, unsigned int address)
{ {
if (address > size) if (address > size)
return NULL; return NULL;
@ -483,19 +483,18 @@ static BOOLEAN secure_mode (void)
* Calculate the SHA1 and SHA256 hashes of a binary * Calculate the SHA1 and SHA256 hashes of a binary
*/ */
static EFI_STATUS generate_hash (char *data, int datasize_in, static EFI_STATUS generate_hash (char *data, int datasize,
PE_COFF_LOADER_IMAGE_CONTEXT *context, PE_COFF_LOADER_IMAGE_CONTEXT *context,
UINT8 *sha256hash, UINT8 *sha1hash) UINT8 *sha256hash, UINT8 *sha1hash)
{ {
unsigned int sha256ctxsize, sha1ctxsize; unsigned int sha256ctxsize, sha1ctxsize;
unsigned int size; unsigned int size = datasize;
void *sha256ctx = NULL, *sha1ctx = NULL; void *sha256ctx = NULL, *sha1ctx = NULL;
char *hashbase; char *hashbase;
unsigned int hashsize; unsigned int hashsize;
unsigned int SumOfBytesHashed, SumOfSectionBytes; unsigned int SumOfBytesHashed, SumOfSectionBytes;
unsigned int index, pos; unsigned int index, pos;
unsigned int datasize;
EFI_IMAGE_SECTION_HEADER *Section; EFI_IMAGE_SECTION_HEADER *Section;
EFI_IMAGE_SECTION_HEADER *SectionHeader = NULL; EFI_IMAGE_SECTION_HEADER *SectionHeader = NULL;
EFI_IMAGE_SECTION_HEADER *SectionCache; EFI_IMAGE_SECTION_HEADER *SectionCache;
@ -507,12 +506,6 @@ static EFI_STATUS generate_hash (char *data, int datasize_in,
sha1ctxsize = Sha1GetContextSize(); sha1ctxsize = Sha1GetContextSize();
sha1ctx = AllocatePool(sha1ctxsize); sha1ctx = AllocatePool(sha1ctxsize);
if (datasize_in < 0) {
Print(L"Invalid data size\n");
return EFI_INVALID_PARAMETER;
}
size = datasize = (unsigned int)datasize_in;
if (!sha256ctx || !sha1ctx) { if (!sha256ctx || !sha1ctx) {
Print(L"Unable to allocate memory for hash context\n"); Print(L"Unable to allocate memory for hash context\n");
return EFI_OUT_OF_RESOURCES; return EFI_OUT_OF_RESOURCES;
@ -563,30 +556,23 @@ static EFI_STATUS generate_hash (char *data, int datasize_in,
/* Sort sections */ /* Sort sections */
SumOfBytesHashed = context->PEHdr->Pe32Plus.OptionalHeader.SizeOfHeaders; SumOfBytesHashed = context->PEHdr->Pe32Plus.OptionalHeader.SizeOfHeaders;
/* Validate section locations and sizes */ Section = (EFI_IMAGE_SECTION_HEADER *) (
for (index = 0, SumOfSectionBytes = 0; index < context->PEHdr->Pe32.FileHeader.NumberOfSections; index++, SectionCache++) { (char *)context->PEHdr + sizeof (UINT32) +
EFI_IMAGE_SECTION_HEADER *SectionPtr;
/* Validate SectionPtr is within image */
SectionPtr = ImageAddress(data, datasize,
sizeof (UINT32) +
sizeof (EFI_IMAGE_FILE_HEADER) + sizeof (EFI_IMAGE_FILE_HEADER) +
context->PEHdr->Pe32.FileHeader.SizeOfOptionalHeader + context->PEHdr->Pe32.FileHeader.SizeOfOptionalHeader
(index * sizeof(*SectionPtr))); );
if (!SectionPtr) {
Print(L"Malformed section %d\n", index); SectionCache = Section;
for (index = 0, SumOfSectionBytes = 0; index < context->PEHdr->Pe32.FileHeader.NumberOfSections; index++, SectionCache++) {
SumOfSectionBytes += SectionCache->SizeOfRawData;
}
if (SumOfSectionBytes >= datasize) {
Print(L"Malformed binary: %x %x\n", SumOfSectionBytes, size);
status = EFI_INVALID_PARAMETER; status = EFI_INVALID_PARAMETER;
goto done; goto done;
} }
/* Validate section size is within image. */
if (SectionPtr->SizeOfRawData >
datasize - SumOfBytesHashed - SumOfSectionBytes) {
Print(L"Malformed section %d size\n", index);
status = EFI_INVALID_PARAMETER;
goto done;
}
SumOfSectionBytes += SectionPtr->SizeOfRawData;
}
SectionHeader = (EFI_IMAGE_SECTION_HEADER *) AllocateZeroPool (sizeof (EFI_IMAGE_SECTION_HEADER) * context->PEHdr->Pe32.FileHeader.NumberOfSections); SectionHeader = (EFI_IMAGE_SECTION_HEADER *) AllocateZeroPool (sizeof (EFI_IMAGE_SECTION_HEADER) * context->PEHdr->Pe32.FileHeader.NumberOfSections);
if (SectionHeader == NULL) { if (SectionHeader == NULL) {
@ -595,11 +581,6 @@ static EFI_STATUS generate_hash (char *data, int datasize_in,
goto done; goto done;
} }
/* Already validated above */
Section = ImageAddress(data, datasize, sizeof (UINT32) +
sizeof (EFI_IMAGE_FILE_HEADER) +
context->PEHdr->Pe32.FileHeader.SizeOfOptionalHeader);
/* Sort the section headers */ /* Sort the section headers */
for (index = 0; index < context->PEHdr->Pe32.FileHeader.NumberOfSections; index++) { for (index = 0; index < context->PEHdr->Pe32.FileHeader.NumberOfSections; index++) {
pos = index; pos = index;
@ -617,8 +598,8 @@ static EFI_STATUS generate_hash (char *data, int datasize_in,
if (Section->SizeOfRawData == 0) { if (Section->SizeOfRawData == 0) {
continue; continue;
} }
hashbase = ImageAddress(data, size, hashbase = ImageAddress(data, size, Section->PointerToRawData);
Section->PointerToRawData); hashsize = (unsigned int) Section->SizeOfRawData;
if (!hashbase) { if (!hashbase) {
Print(L"Malformed section header\n"); Print(L"Malformed section header\n");
@ -626,15 +607,6 @@ static EFI_STATUS generate_hash (char *data, int datasize_in,
goto done; goto done;
} }
/* Verify hashsize within image. */
if (Section->SizeOfRawData >
datasize - Section->PointerToRawData) {
Print(L"Malformed section raw size %d\n", index);
status = EFI_INVALID_PARAMETER;
goto done;
}
hashsize = (unsigned int) Section->SizeOfRawData;
if (!(Sha256Update(sha256ctx, hashbase, hashsize)) || if (!(Sha256Update(sha256ctx, hashbase, hashsize)) ||
!(Sha1Update(sha1ctx, hashbase, hashsize))) { !(Sha1Update(sha1ctx, hashbase, hashsize))) {
Print(L"Unable to generate hash\n"); Print(L"Unable to generate hash\n");
@ -645,10 +617,10 @@ static EFI_STATUS generate_hash (char *data, int datasize_in,
} }
/* Hash all remaining data */ /* Hash all remaining data */
if (datasize > SumOfBytesHashed) { if (size > SumOfBytesHashed) {
hashbase = data + SumOfBytesHashed; hashbase = data + SumOfBytesHashed;
hashsize = (unsigned int)( hashsize = (unsigned int)(
datasize - size -
context->PEHdr->Pe32Plus.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY].Size - context->PEHdr->Pe32Plus.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY].Size -
SumOfBytesHashed); SumOfBytesHashed);
@ -878,8 +850,7 @@ static EFI_STATUS read_header(void *data, unsigned int datasize,
return EFI_UNSUPPORTED; return EFI_UNSUPPORTED;
} }
if ((unsigned long)((UINT8 *)context->SecDir - (UINT8 *)data) > if (((UINT8 *)context->SecDir - (UINT8 *)data) > (datasize - sizeof(EFI_IMAGE_DATA_DIRECTORY))) {
(datasize - sizeof(EFI_IMAGE_DATA_DIRECTORY))) {
Print(L"Invalid image\n"); Print(L"Invalid image\n");
return EFI_UNSUPPORTED; return EFI_UNSUPPORTED;
} }
@ -899,8 +870,7 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize,
{ {
EFI_STATUS efi_status; EFI_STATUS efi_status;
char *buffer; char *buffer;
int i; int i, size;
unsigned int size;
EFI_IMAGE_SECTION_HEADER *Section; EFI_IMAGE_SECTION_HEADER *Section;
char *base, *end; char *base, *end;
PE_COFF_LOADER_IMAGE_CONTEXT context; PE_COFF_LOADER_IMAGE_CONTEXT context;
@ -1077,8 +1047,7 @@ static EFI_STATUS generate_path(EFI_LOADED_IMAGE *li, CHAR16 *ImagePath,
{ {
EFI_DEVICE_PATH *devpath; EFI_DEVICE_PATH *devpath;
EFI_HANDLE device; EFI_HANDLE device;
unsigned int i; int i, j, last = -1;
int j, last = -1;
unsigned int pathlen = 0; unsigned int pathlen = 0;
EFI_STATUS efi_status = EFI_SUCCESS; EFI_STATUS efi_status = EFI_SUCCESS;
CHAR16 *bootpath; CHAR16 *bootpath;
@ -1633,10 +1602,9 @@ EFI_STATUS set_second_stage (EFI_HANDLE image_handle)
EFI_STATUS status; EFI_STATUS status;
EFI_LOADED_IMAGE *li; EFI_LOADED_IMAGE *li;
CHAR16 *start = NULL, *c; CHAR16 *start = NULL, *c;
unsigned int i; int i, remaining_size = 0;
int remaining_size = 0;
CHAR16 *loader_str = NULL; CHAR16 *loader_str = NULL;
unsigned int loader_len = 0; int loader_len = 0;
second_stage = DEFAULT_LOADER; second_stage = DEFAULT_LOADER;
load_options = NULL; load_options = NULL;