Re: [PATCH] firmware: google: add bounds checks in coreboot_table_populate()

Next message: Eric Biggers: "[PATCH net-next 1/5] net/rxrpc: Add local FCrypt-PCBC implementation"
Previous message: Qingfang Deng: "[PATCH net-next] ppp: consolidate RX skb queueing"
In reply to: Tzung-Bi Shih: "Re: [PATCH] firmware: google: add bounds checks in coreboot_table_populate()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Tzung-Bi Shih

Date: Mon Apr 27 2026 - 22:48:27 EST

On Sun, Apr 26, 2026 at 11:47:39PM +0200, Titouan Ameline de Cadeville wrote:
> coreboot_table_populate() iterates over firmware-provided table entries
> with no validation that the entries stay within the mapped memory region.
> A corrupt table with a large entry->size advances ptr_entry past the
> mapped region, causing an out-of-bounds read on the next iteration.
>
> Add a check before dereferencing ptr_entry to ensure the entry header
> is readable, and a second check after reading entry->size to ensure the
> full entry stays within the mapped region.
>
> Pass len from coreboot_table_probe() into coreboot_table_populate() to
> make the mapped region size available for validation.

To be fair, the `len` is also from the firmware. If it's corrupted as well,
the out-of-bounds read could still happen.

>
> [...]

Applied to

https://git.kernel.org/pub/scm/linux/kernel/git/chrome-platform/linux.git for-firmware-next

[1/1] firmware: google: add bounds checks in coreboot_table_populate()
commit: 7b1a1af4556a4f95ef273e91435fe804cbfcd223

Thanks!