[romprefix] Use correct size for PMM allocation of image source block

iPXE allocates its first PMM block using the image source length, which is rounded up to the nearest 16-byte paragraph. It then copies in data of a length calculated from the ROM size, which is theoretically less than or equal to the image source length, but is rounded up to the nearest 512-byte sector. This can result in copying beyond the end of the allocated PMM block, which can corrupt the PMM data structures (and other essentially arbitrary areas of memory). Fix by rounding up the image source length to the nearest 512-byte sector before using it as the PMM allocation length. Reported-by: Alex Williamson <alex.williamson@redhat.com> Reported-by: Jarrod Johnson <jarrod.b.johnson@gmail.com> Reported-by: Itay Gazit <itayg@mellanox.co.il> Signed-off-by: Michael Brown <mcb30@ipxe.org>
ipxe · Mar 15, 2011 · 23daab1 · 23daab1
1 parent c315ae0
commit 23daab1
Showing 1 changed file with 7 additions and 6 deletions.
diff --git a/src/arch/i386/prefix/romprefix.S b/src/arch/i386/prefix/romprefix.S
@@ -320,7 +320,8 @@ pmm_scan:
 	/* We have PMM and so a 1kB stack: preserve whole registers */
 	pushal
 	/* Allocate image source PMM block */
-	movzwl	image_source_len_pgh, %ecx
+	movzwl	image_source_size, %ecx
+	shll	$5, %ecx
 	movl	$PMM_HANDLE_BASE_IMAGE_SOURCE, %ebx
 	movw	$get_pmm_image_source, %bp
 	call	get_pmm
@@ -565,16 +566,16 @@ image_source:
 	.long	0
 	.size	image_source, . - image_source
 
-/* Image source area length (in paragraphs)
+/* Image source size (in 512-byte sectors)
  *
  */
-image_source_len_pgh:
+image_source_size:
 	.word	0
-	.size	image_source_len_pgh, . - image_source_len_pgh
+	.size	image_source_size, . - image_source_size
 	.section ".zinfo.fixup", "a", @progbits	/* Compressor fixups */
 	.ascii	"ADDW"
-	.long	image_source_len_pgh
-	.long	16
+	.long	image_source_size
+	.long	512
 	.long	0
 	.previous