Coverity identified several untrusted loop bounds and untrusted allocation size
bugs in grub-core/loader/i386/bsdXX.c and grub-core/loader/multiboot_elfXX.c.
Upon review of these bugs, I found that specific checks weren't being made to
various elf header values based on the elf manual page. The first four patches
in this patch series address the coverity bugs, as well as adds functions to
check for the correct elf header values. The last two patches adds fixes to
previous work done in util/grub-module-verifierXX.c that also relates to making
checks of elf header values.
The Coverity bugs being addressed are:
CID 314018
CID 314030
CID 314031
CID 314039
Alec Brown (6):
grub-core/loader/i386/bsdXX.c: Avoid downcasting (char *) to (Elf_Shdr *)
elf: Validate number of elf section header table entries
elf: Validate elf section header table index for section name string table
elf: Validate number of elf program header table entries
util/grub-module-verifierXX.c: Add e_shoff check in get_shdr()
util/grub-module-verifierXX.c: Changed get_shnum() return type
grub-core/kern/elf.c | 18 ++++++++++++++++++
grub-core/kern/elfXX.c | 101
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
grub-core/loader/i386/bsdXX.c | 142
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++---------------------------------------------------------
grub-core/loader/multiboot_elfxx.c | 79
++++++++++++++++++++++++++++++++++++++++++++++++++++++-------------------------
include/grub/elf.h | 23 +++++++++++++++++++++++
util/grub-module-verifierXX.c | 13 +++++++++----
6 files changed, 290 insertions(+), 86 deletions(-)
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
