diff options
author | Kevin O'Connor <kevin@koconnor.net> | 2016-01-12 13:36:50 -0500 |
---|---|---|
committer | Gerd Hoffmann <kraxel@redhat.com> | 2016-01-15 10:54:41 +0100 |
commit | 60270436df5224dc81eeac7b1421e041c3f4fe75 (patch) | |
tree | 8d11ca464984a889ff5552af8220e3729d1907ed | |
parent | dc6498e9e7429f2d1fdc38dad684c612f6847b9f (diff) | |
download | seabios-60270436df5224dc81eeac7b1421e041c3f4fe75.zip seabios-60270436df5224dc81eeac7b1421e041c3f4fe75.tar.gz seabios-60270436df5224dc81eeac7b1421e041c3f4fe75.tar.bz2 |
coreboot: Check for unaligned cbfs header
If the CBFS header is invalid and points to 0xffffffff it could cause
SeaBIOS to read past the 4GB boundary and cause an exception. Check
the alignment of the header pointer before attempting to access fields
within the header.
Reported-by: "Alex G." <mr.nuke.me@gmail.com>
Signed-off-by: Kevin O'Connor <kevin@koconnor.net>
(cherry picked from commit 3e8d75f3bef0f36a807303d58523ef5eba4a386f)
-rw-r--r-- | src/fw/coreboot.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/src/fw/coreboot.c b/src/fw/coreboot.c index 3b9df14..4fe1292 100644 --- a/src/fw/coreboot.c +++ b/src/fw/coreboot.c @@ -421,6 +421,10 @@ coreboot_cbfs_init(void) return; struct cbfs_header *hdr = *(void **)(CONFIG_CBFS_LOCATION - 4); + if ((u32)hdr & 0x03) { + dprintf(1, "Invalid CBFS pointer %p\n", hdr); + return; + } if (CONFIG_CBFS_LOCATION && (u32)hdr > CONFIG_CBFS_LOCATION) // Looks like the pointer is relative to CONFIG_CBFS_LOCATION hdr = (void*)hdr + CONFIG_CBFS_LOCATION; |