From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1nFPyC-0001Dy-Qf for mharc-grub-devel@gnu.org; Wed, 02 Feb 2022 19:27:28 -0500 Received: from eggs.gnu.org ([209.51.188.92]:33442) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nFPyB-0001Ag-7v for grub-devel@gnu.org; Wed, 02 Feb 2022 19:27:27 -0500 Received: from mx0b-00069f02.pphosted.com ([205.220.177.32]:36260) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nFPy9-0006x6-2L for grub-devel@gnu.org; Wed, 02 Feb 2022 19:27:26 -0500 Received: from pps.filterd (m0246632.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 212KwYSP013006 for ; Thu, 3 Feb 2022 00:27:24 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2021-07-09; bh=ssPgXhkKLGtR+jS6k7g9DFGSTy+1Nn1a4VXXtsn00Xk=; b=V/83RfSnD0EMwNtM07ilEHFXhsK4c8Df9RsT+d4s/lWurLti7+6Ylnc3LeuIPxvxdJg5 Io0QfoWWlCWtSQfm56+w7318M7iEwOa5zyOHYbHnc4kNGo52Ixdr4Bvr6HDMgbFI3iA5 O7dpBnGpXqkb7nASGeERRcOw3cgtcqdQqHp/xAnvcMtpN2kdfzbtQqot+FEAGviKtAUD j5ODLdXZkkOQGlMcc9U1V2WFPNFhtbEMKLx675HccBZPJBkjDvKWWCUj1K+i1QcNdEvM WXNd2TeuReUPG14+YNDQqe+z0j7xA5amMlxfN9KJuO8zh07RF3aMdj00kr2E3l3pf5GI qQ== Received: from userp3020.oracle.com (userp3020.oracle.com [156.151.31.79]) by mx0b-00069f02.pphosted.com with ESMTP id 3dxj9fysc9-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Thu, 03 Feb 2022 00:27:23 +0000 Received: from pps.filterd (userp3020.oracle.com [127.0.0.1]) by userp3020.oracle.com (8.16.1.2/8.16.1.2) with SMTP id 2130GEH8176038 for ; Thu, 3 Feb 2022 00:27:22 GMT Received: from nam04-dm6-obe.outbound.protection.outlook.com (mail-dm6nam08lp2042.outbound.protection.outlook.com [104.47.73.42]) by userp3020.oracle.com with ESMTP id 3dvy1tm03q-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Thu, 03 Feb 2022 00:27:22 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kv3bPmiRHizOvBfQcVBsquoitZ6aeGXpiqIlrnjjKAPLFyIuSn4gfnCZeOqZmuUAvPOFq6ost3naBf6suWJJEixV6puqunPJi0N4aDSxUotrvHwDjTGG9ti4uTVldDsAzbckMoTGgzDe+8PaHj40r9Tr9aY3uDIRGCP2VvAZTh3MxsvGrF/ctNL/7IdDl/B/dSm53nHi/oZDN0k0j2dL/nLCCLfJ+P7/Hkzm/Ftqf8h4da+S2b0Uu0D8aS185y1rBekhqNekLG/fUwjnZPtJwF7H9pfKZS28r4TpORw3VVLIcSDkQXu4HFJQscrhzAfftlrc2kKtDeTgdUsyDBEi1w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ssPgXhkKLGtR+jS6k7g9DFGSTy+1Nn1a4VXXtsn00Xk=; b=ZUerJK3BEarzHtsm+7S9XWgu4yYdt9OJii9bfyIprUMsxggVrzXRbAKSHPtEnYinrKMbvyaE2X2zjvvW8+clPcIcQzvQ0aCIkhe+CSfCYLSFBHIuqg4re/bNaOKO54Z2aQ9iJuw3cezpIBc73sqSKk2esN1w1yIINxj3r+Mt/OElYWTOcw6w1K3boDZENVcZMn0PUVI9RqH2Sba90oSzNPuEelkz+gtUg0dAchDImmwm3z67H6IkKBzwn/vAAsrct6FaX39iCVce8GUrwZ6UwYpzeKp5JgqEXopuw5CggOpxFOcYJeKGVlGUhm+e68URKIkM9DBcrL2sYMuLAnJYjg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ssPgXhkKLGtR+jS6k7g9DFGSTy+1Nn1a4VXXtsn00Xk=; b=wfhjq64AYgjg1NwgVKZ2GkHikmiKbeoM23xx7n3uBPA/q/nqYAZKNYlgb8Qj5xTCrj0Avv38NzGY2HezM+fl0PNEOEomlB75QdloR3wKkXvz6KIAdEgovrt+5EIaknXifG4DRCf6nVqbEbwEgsn9KlkHYk36NcVPxyqV6S1RVow= Received: from DM6PR10MB2986.namprd10.prod.outlook.com (2603:10b6:5:6b::26) by MW4PR10MB5884.namprd10.prod.outlook.com (2603:10b6:303:18f::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4951.12; Thu, 3 Feb 2022 00:27:21 +0000 Received: from DM6PR10MB2986.namprd10.prod.outlook.com ([fe80::29f1:b031:153c:c9f9]) by DM6PR10MB2986.namprd10.prod.outlook.com ([fe80::29f1:b031:153c:c9f9%5]) with mapi id 15.20.4951.012; Thu, 3 Feb 2022 00:27:21 +0000 From: Alec Brown To: grub-devel@gnu.org Cc: daniel.kiper@oracle.com, darren.kenny@oracle.com Subject: [PATCH 3/4] util/grub-module-verifierXX.c: Validate elf section header table index for section name string table Date: Wed, 2 Feb 2022 19:26:59 -0500 Message-Id: <1643848020-8197-4-git-send-email-alec.r.brown@oracle.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1643848020-8197-1-git-send-email-alec.r.brown@oracle.com> References: <1643848020-8197-1-git-send-email-alec.r.brown@oracle.com> Content-Type: text/plain X-ClientProxiedBy: BL0PR1501CA0033.namprd15.prod.outlook.com (2603:10b6:207:17::46) To DM6PR10MB2986.namprd10.prod.outlook.com (2603:10b6:5:6b::26) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 75fc8793-f3b5-4ed7-058c-08d9e6abf189 X-MS-TrafficTypeDiagnostic: MW4PR10MB5884:EE_ X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:2803; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: ZLWK3xKBTmzR94y0JgzK5GZuxiId3e8bjtuYpNpAoTnz9cm83fT9wSd21yJeH/4yud3cfZ96yYp3QyZyGXs3rj4JEbLdm0Bn7m+ev/NIedIhrzY93ltQfTq5J86F6sRl+ChEdET2MkOom1S4h1mSB2zBykQ1xuoXnzs+FcaCnzi1YAySh2qd+VuaGYc3T84HER2OVgAN8qI890Vyhk0ZyfZ8uXccSwcZW9B3nA1V0n5JuvsTIyQpAb5HtA1Fy8AVvzFIorODcTITpxq9VGVbwmVO230T/RLTyNLjJ+Fd4bwr82N2bm6x6OaJudVfLHQCfEB1yTrfgCkLzfpAVG15QP/w7wOF8oUYCbPW2bGE04clsYAj1yHwuAZwlbhj84yEKvI9LVVCsbvwNste+VSQH40U4ee0scZVgU+Po0poYpNc32xCri1Wcc9ZDQeP3F6PZavmz2weWO5/rCmKSiwkY0eytRza647huPG7ylEybwGyxw0olvWdQv0YdcbdGmf2whm6NjStxs5vaR+P5Ml+83tLjybs/zXOyLWt24UR055H7Kmu/tyao7SMqU9GxErtaowKp1r9V8/RO9x81d24XCpnxsTwwZP7fZAHM71AZSNJmf1EcUm3oP5n3ojmqlRTIvbSV055ER/JIVPoMec2sA== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR10MB2986.namprd10.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(366004)(36756003)(2616005)(2906002)(508600001)(38100700002)(6486002)(316002)(6916009)(8936002)(8676002)(66476007)(6666004)(6512007)(66556008)(83380400001)(186003)(26005)(4326008)(6506007)(5660300002)(107886003)(66946007)(86362001); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?URSZY0w7BG8UWMesTCqOTQre1l5I+vHdVOpOMgUZeOv/TZZnQMZZkABdffwk?= =?us-ascii?Q?+XT5yKumwURQ/bCpy5kljkcRvFgXz+7eGYH7nrgLLFxwI1eNSSeIsucbqFae?= =?us-ascii?Q?hraVwllbKaLYvh0NMVg5hWcg+NDdbxLyNMaMVul1tb7U/gyuXPq5cyH+E6aU?= =?us-ascii?Q?KNam1xrvDjNQo783dFi1nChzCh4xumL6lPCmGf4U88Tx8tMw4N0C9DJYWoEt?= =?us-ascii?Q?ve0LyWRpVJKw0Tdg6aEAo2Wm1eWtGS7XDxZivBrji+7yj9qbWs6Vs78VuIBf?= =?us-ascii?Q?W7dtY4bm+AL3MumA8yBDtiszjr23/CHefZoINqkrz18+oS9/85W+l1U0DgN5?= =?us-ascii?Q?P6S+nnNzGV3pT5e+HyZ7qq4+qwpIJtuM1Rd5dZqxkQqLmiN7U+mclCN2fLqY?= =?us-ascii?Q?Of9nDHY34x8oTmGKoFR3JOXZaieY+c7z4BVQl8X96I5Fjt7yz7x9KNUEdnbR?= =?us-ascii?Q?7gHEtjsq401BFtj/6zZQxILWgrw7XoTwT4p02vDRQb0eGPLbICr6kRs98sqT?= =?us-ascii?Q?2MN3kI69TUPyCiFqR/xYK0L+IyX3YdhJXugnex+tt775i8D0YLIQg1jGJ8jE?= =?us-ascii?Q?6rVhxWH3gPT0244w/R82OXx8I0ezOo3OMI/D5S5LBCqLKuN4eDjpwVuHsF9n?= =?us-ascii?Q?EBTbDsTltd5bXXbGcCSU2OnEh7N1IiYMQbXd7fSmvpylalZmZSFmLHeJXpbK?= =?us-ascii?Q?BZl8qbaBMssXSnzwmROqQHFCzeWxtC+9DlIQySlRbuPpNnsyK+EL4CSfZa52?= =?us-ascii?Q?XozXRqyl3HVP99MYgPmZMDhTyktFErKZTxNefDMBrpxDIgvYZbewVVOl7wF1?= =?us-ascii?Q?SArRIRxDGNSZpSVxCV885Bas/PhVZM8YjPxXbRJC2HaoIAhO/O6JqDoJwDYh?= =?us-ascii?Q?hwQeriYdlUAILwZtwcLv2uqZo1FXdAjCA455ecBGv7xHcIICi9xQp5wQNpgg?= =?us-ascii?Q?P+SKAlkFKYw7Svru240oUuVLv5NhZtBVgF9uJkQcy8CkCf+Due6GF/p8p3J6?= =?us-ascii?Q?YwEoKUeN2Hagfuo09uCgK0hpRv6+2qj0zmAiV9jXU8D0BwxTfpz8JXcWpHsf?= =?us-ascii?Q?H08FfOHMewEZKFEbargl6H1XPW2ARUylh7Zeh+NiKF9MT6WTwGWntxpkgeLP?= =?us-ascii?Q?BTpf/MQHJknoLQjzAITPTr7YqPeRECmXj0SjjvOj5kCy626G2bYiegfCjvI9?= =?us-ascii?Q?N05sw5XwrnYp56Z/alAXXq4nPRJ+cdVKyO51yf9e04Jc2PzSNlZ01fnosH76?= =?us-ascii?Q?Ysu374h9xiSUK5kVmp2/2MaJxYQMvqFYX9YFWYonIvZ3dKv6Q/AUtojH4Wm3?= =?us-ascii?Q?TqTebPoQL/tLRhlxhDO1G+NPPnDtfLpgw9T4fkXINpitQf85oUYqKIsIeY1M?= =?us-ascii?Q?PF/Y1PyLMyXzv8vRK5uPCS6kkaVayD1v9b48wH58W6l1uPsjMx7GAlDT16CT?= =?us-ascii?Q?mWlDgVyHlbW0InAeUw/0NmvDS1GnYpGugVktfSrblndnaayN9tR8Y1a3hWNE?= =?us-ascii?Q?1/rHQrKrCtGsZa8FV2nv/dYn+HTtLy7iFxDFB/qsCy9uwUTr8kBiRKv6TKMd?= =?us-ascii?Q?zRfP77FGbhzfnDY+DGPxXgoT2LYv6yBG49jnDMvJez8r7LsnbWFqIR3xwKhl?= =?us-ascii?Q?ay1bjExDLD2/ZKGn9sGW9jM=3D?= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 75fc8793-f3b5-4ed7-058c-08d9e6abf189 X-MS-Exchange-CrossTenant-AuthSource: DM6PR10MB2986.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 03 Feb 2022 00:27:21.7283 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 03oeceNHIPk2U2QqnO0ZV/3hhN1JdJEfHJF3cPpX9+NTRvlKmvS9iDhfD2I2XMSGG2MRa9lkHf4m5UFPsc/2Vw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW4PR10MB5884 X-Proofpoint-Virus-Version: vendor=nai engine=6300 definitions=10246 signatures=673430 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 mlxscore=0 spamscore=0 bulkscore=0 adultscore=0 mlxlogscore=999 phishscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2201110000 definitions=main-2202030000 X-Proofpoint-GUID: ntd1tb7aAaNtM9Y7WHNQXD8ahwbS01DK X-Proofpoint-ORIG-GUID: ntd1tb7aAaNtM9Y7WHNQXD8ahwbS01DK Received-SPF: pass client-ip=205.220.177.32; envelope-from=alec.r.brown@oracle.com; helo=mx0b-00069f02.pphosted.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Feb 2022 00:27:27 -0000 In grub-module-verifierXX.c, the function find_section() uses the value from grub_target_to_host16 (e->e_shstrndx) to obtain the section header table index of the section name string table, but it wasn't being checked if the value was there. According to the elf(5) manual page, "If the index of section name string table section is larger than or equal to SHN_LORESERVE (0xff00), this member holds SHN_XINDEX (0xffff) and the real index of the section name string table section is held in the sh_link member of the initial entry in section header table. Otherwise, the sh_link member of the initial entry in section header table contains the value zero." Since this check wasn't being made, the function get_shstrndx() is being added to make this check and use e_shstrndx if it doesn't have SHN_XINDEX as a value, else use sh_link. We also need to make sure e_shstrndx isn't greater than or equal to SHN_LORESERVE and sh_link isn't less than SHN_LORESERVE. Note that it may look as though the argument *arch isn't being used, it's actually required in order to use the macros grub_target_to_host*(x) which are unwinded to grub_target_to_host*_real(arch, (x)) based on defines earlier in the file. Signed-off-by: Alec Brown --- util/grub-module-verifierXX.c | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/util/grub-module-verifierXX.c b/util/grub-module-verifierXX.c index 61b82141f..3a5265aff 100644 --- a/util/grub-module-verifierXX.c +++ b/util/grub-module-verifierXX.c @@ -161,6 +161,29 @@ get_shnum (const struct grub_module_verifier_arch *arch, Elf_Ehdr *e) return shnum; } +static Elf_Word +get_shstrndx (const struct grub_module_verifier_arch *arch, Elf_Ehdr *e) +{ + Elf_Shdr *s; + Elf_Word shstrndx; + + shstrndx = grub_target_to_host16 (e->e_shstrndx); + if (shstrndx == SHN_XINDEX) + { + s = get_shdr (arch, e, 0); + shstrndx = grub_target_to_host (s->sh_link); + if (shstrndx < SHN_LORESERVE) + grub_util_error ("Invalid section header table index in sh_link: %d", shstrndx); + } + else + { + if (shstrndx >= SHN_LORESERVE) + grub_util_error ("Invalid section header table index in e_shstrndx: %d", shstrndx); + } + + return shstrndx; +} + static Elf_Shdr * find_section (const struct grub_module_verifier_arch *arch, Elf_Ehdr *e, const char *name) { @@ -168,7 +191,7 @@ find_section (const struct grub_module_verifier_arch *arch, Elf_Ehdr *e, const c const char *str; unsigned i; - s = get_shdr (arch, e, grub_target_to_host16 (e->e_shstrndx)); + s = get_shdr (arch, e, get_shstrndx (arch, e)); str = (char *) e + grub_target_to_host (s->sh_offset); for (i = 0, s = get_shdr (arch, e, 0); -- 2.27.0