From 855fe6869cc4407569513a231f2a01cb8215e77f Mon Sep 17 00:00:00 2001
From: Vladimir Serbinenko <phcoder@gmail.com>
Date: Sun, 8 Nov 2015 20:34:30 +0100
Subject: [PATCH] cbfs: Check for ptr range sanity.

Triaged by Andrei and enhanced with suggestions by Aaron Durbin
Also-By: Andrei Borzenkov <arvidjaar@gmail.com>
---
 grub-core/fs/cbfs.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/grub-core/fs/cbfs.c b/grub-core/fs/cbfs.c
index a34eb88cb..5fc9c0147 100644
--- a/grub-core/fs/cbfs.c
+++ b/grub-core/fs/cbfs.c
@@ -344,8 +344,16 @@ init_cbfsdisk (void)
 
   ptr = *(grub_uint32_t *) 0xfffffffc;
   head = (struct cbfs_header *) (grub_addr_t) ptr;
+  grub_dprintf ("cbfs", "head=%p\n", head);
 
-  if (!validate_head (head))
+  /* coreboot current supports only ROMs <= 16 MiB. Bigger ROMs will
+     have problems as RCBA is 18 MiB below end of 32-bit typically,
+     so either memory map would have to be rearranged or we'd need to support
+     reading ROMs through controller directly.
+   */
+  if (ptr < 0xff000000
+      || 0xffffffff - ptr < sizeof (*head) + 0x10
+      || !validate_head (head))
     return;
 
   cbfsdisk_size = ALIGN_UP (grub_be_to_cpu32 (head->romsize),