From ab9c2a7711858b2300abf802230c044db55c5171 Mon Sep 17 00:00:00 2001 From: Laszlo Ersek Date: Mon, 21 Nov 2016 15:34:00 +0100 Subject: [PATCH 163/229] efi/chainloader: fix wrong sanity check in relocate_coff() In relocate_coff(), the relocation entries are parsed from the original image (not the section-wise copied image). The original image is pointed-to by the "orig" pointer. The current check (void *)reloc_end < data compares the addresses of independent memory allocations. "data" is a typo here, it should be "orig". Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1347291 Signed-off-by: Laszlo Ersek Tested-by: Bogdan Costescu Tested-by: Juan Orti --- grub-core/loader/efi/chainloader.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c index b977c7b5573..d5ab21d09c3 100644 --- a/grub-core/loader/efi/chainloader.c +++ b/grub-core/loader/efi/chainloader.c @@ -401,7 +401,7 @@ relocate_coff (pe_coff_loader_image_context_t *context, reloc_end = (struct grub_pe32_fixup_block *) ((char *)reloc_base + reloc_base->size); - if ((void *)reloc_end < data || (void *)reloc_end > image_end) + if ((void *)reloc_end < orig || (void *)reloc_end > image_end) { grub_error (GRUB_ERR_BAD_ARGUMENT, "Reloc entry %d overflows binary", n); -- 2.15.0