coreboot: Check for unaligned cbfs header

If the CBFS header is invalid and points to 0xffffffff it could cause
SeaBIOS to read past the 4GB boundary and cause an exception.  Check
the alignment of the header pointer before attempting to access fields
within the header.

Reported-by: "Alex G." <mr.nuke.me@gmail.com>
Signed-off-by: Kevin O'Connor <kevin@koconnor.net>

diff --git a/src/fw/coreboot.c b/src/fw/coreboot.c
index 3b9df142930a6a098d0d3e670d12bca32881e5bc..4fe12928cda87f3bd04df246e044b252885218a1 100644 (file)
--- a/src/fw/coreboot.c
+++ b/src/fw/coreboot.c
@@ -421,6 +421,10 @@ coreboot_cbfs_init(void)
         return;
 
     struct cbfs_header *hdr = *(void **)(CONFIG_CBFS_LOCATION - 4);
+    if ((u32)hdr & 0x03) {
+        dprintf(1, "Invalid CBFS pointer %p\n", hdr);
+        return;
+    }
     if (CONFIG_CBFS_LOCATION && (u32)hdr > CONFIG_CBFS_LOCATION)
         // Looks like the pointer is relative to CONFIG_CBFS_LOCATION
         hdr = (void*)hdr + CONFIG_CBFS_LOCATION;