diff options
author | Jan Janssen <medhefgo@web.de> | 2021-12-28 16:07:09 +0100 |
---|---|---|
committer | Jan Janssen <medhefgo@web.de> | 2021-12-29 14:39:54 +0100 |
commit | 1cadb35fd68f0255e50627dffd25c83e7e2081e5 (patch) | |
tree | 485ecff12cdcdbf4c009b12e41ec11f02ba76a22 | |
parent | 77fcf28cb88b302453b4c991a6571cb37f10634d (diff) | |
download | systemd-1cadb35fd68f0255e50627dffd25c83e7e2081e5.tar.gz |
boot: Reject unaligned data
The data seems to be properly aligned in real BCD stores, so it
should be fine to just reject bad ones.
Fixes: #21917
-rw-r--r-- | src/boot/efi/bcd.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/src/boot/efi/bcd.c b/src/boot/efi/bcd.c index 44c544f8f7..85569deb09 100644 --- a/src/boot/efi/bcd.c +++ b/src/boot/efi/bcd.c @@ -176,7 +176,8 @@ static const KeyValue *get_key_value(const UINT8 *bcd, UINT32 bcd_len, const Key if (key->n_key_values == 0) return NULL; - if ((UINT64) key->key_values_offset + sizeof(UINT32[key->n_key_values]) >= bcd_len) + if ((UINT64) key->key_values_offset + sizeof(UINT32[key->n_key_values]) >= bcd_len || + (UINTN)(bcd + key->key_values_offset) % sizeof(UINT32) != 0) return NULL; const UINT32 *key_value_list = (const UINT32 *) (bcd + key->key_values_offset); @@ -266,7 +267,8 @@ TEST_STATIC CHAR16 *get_bcd_title(UINT8 *bcd, UINTN bcd_len) { CHAR8 order_guid[sizeof("{00000000-0000-0000-0000-000000000000}\0")]; if (displayorder_value->data_type != REG_MULTI_SZ || - displayorder_value->data_size != sizeof(CHAR16) * sizeof(order_guid)) + displayorder_value->data_size != sizeof(CHAR16[sizeof(order_guid)]) || + (UINTN)(bcd + displayorder_value->data_offset) % sizeof(CHAR16) != 0) /* BCD is multi-boot. */ return NULL; @@ -312,7 +314,8 @@ TEST_STATIC CHAR16 *get_bcd_title(UINT8 *bcd, UINTN bcd_len) { if (description_value->data_type != REG_SZ || description_value->data_size < sizeof(CHAR16) || - description_value->data_size % sizeof(CHAR16) != 0) + description_value->data_size % sizeof(CHAR16) != 0 || + (UINTN)(bcd + description_value->data_offset) % sizeof(CHAR16)) return NULL; /* The data should already be NUL-terminated. */ |