[romprefix] Use correct size for PMM allocation of image source block

iPXE allocates its first PMM block using the image source length,
which is rounded up to the nearest 16-byte paragraph.  It then copies
in data of a length calculated from the ROM size, which is
theoretically less than or equal to the image source length, but is
rounded up to the nearest 512-byte sector.  This can result in copying
beyond the end of the allocated PMM block, which can corrupt the PMM
data structures (and other essentially arbitrary areas of memory).

Fix by rounding up the image source length to the nearest 512-byte
sector before using it as the PMM allocation length.

Reported-by: Alex Williamson <alex.williamson@redhat.com>
Reported-by: Jarrod Johnson <jarrod.b.johnson@gmail.com>
Reported-by: Itay Gazit <itayg@mellanox.co.il>
Signed-off-by: Michael Brown <mcb30@ipxe.org>

1 files changed, 7 insertions, 6 deletions

diff --git a/src/arch/i386/prefix/romprefix.S b/src/arch/i386/prefix/romprefix.S
index ede0fb42..dd602ddb 100644
--- a/src/arch/i386/prefix/romprefix.S
+++ b/src/arch/i386/prefix/romprefix.S
@@ -320,7 +320,8 @@ pmm_scan:
 	/* We have PMM and so a 1kB stack: preserve whole registers */
 	pushal
 	/* Allocate image source PMM block */
-	movzwl	image_source_len_pgh, %ecx
+	movzwl	image_source_size, %ecx
+	shll	$5, %ecx
 	movl	$PMM_HANDLE_BASE_IMAGE_SOURCE, %ebx
 	movw	$get_pmm_image_source, %bp
 	call	get_pmm
@@ -565,16 +566,16 @@ image_source:
 	.long	0
 	.size	image_source, . - image_source
 
-/* Image source area length (in paragraphs)
+/* Image source size (in 512-byte sectors)
  *
  */
-image_source_len_pgh:
+image_source_size:
 	.word	0
-	.size	image_source_len_pgh, . - image_source_len_pgh
+	.size	image_source_size, . - image_source_size
 	.section ".zinfo.fixup", "a", @progbits	/* Compressor fixups */
 	.ascii	"ADDW"
-	.long	image_source_len_pgh
-	.long	16
+	.long	image_source_size
+	.long	512
 	.long	0
 	.previous