CVE-2023-40550 pe: Fix an out-of-bound read in verify_buffer_sbat()

In verify_buffer_sbat(), we have a goal-seeking loop to find the .sbat
section header.  Unfortunately, while the actual contents of the section
are checked for being inside the binary, no such check exists for the
contents of the section table entry.

As a result, a carefully constructed binary will cause an out-of-bounds
read checking if the section name is ".sbat\0\0\0" or not.

This patch adds a check that each section table entry is within the
bounds of the binary.

It's not currently known if this is actually exploitable beyond creating
a denial of service, and an attacker who is in a position to use it for
a denial of service attack must already be able to do so.

Resolves: CVE-2023-40550
Reported-by: gkirkpatrick@google.com
Signed-off-by: Peter Jones <pjones@redhat.com>

shim.c

@@ -709,6 +709,11 @@ verify_buffer_sbat (char *data, int datasize,
 
 	Section = context->FirstSection;
 	for (i = 0; i < context->NumberOfSections; i++, Section++) {
+		if ((uint64_t)&Section[1] > (uint64_t)data + datasize) {
+			perror(L"Section exceeds bounds of image\n");
+			return EFI_UNSUPPORTED;
+		}
+
 		if (CompareMem(Section->Name, ".sbat\0\0\0", 8) != 0)
 			continue;