Skip to content

[Feature]: Ensure that PE image sections contain all data between headers and signature and do not overlap #11693

New issue
New issue
Open
Open
[Feature]: Ensure that PE image sections contain all data between headers and signature and do not overlap#11693
Assignees
DemiMarie
Labels
package:mdepkgpackage:ovmfpkgpackage:securitypkgpriority:mediumModerate impact. Should be prioritized over lower priority issues.state:needs-maintainer-feedbacktype:feature-requestA new feature proposal
@DemiMarie

Description

@DemiMarie
DemiMarie
opened on Nov 3, 2025

Feature Overview

The PE header hashing code does not check that the section headers contain all data between the image header and the signature. It also does not check that they do not overlap. If these conditions are violated, the hash will be computed incorrectly.

Solution Overview

Reject PE images that violate this rule, perhaps in PeCoffLoaderGetPeHeader().

Alternatives Considered

None

What packages are impacted?

OvmfPkg, MdePkg, SecurityPkg

Urgency

Medium

Are you going to implement the feature request?

I will implement the feature

Do you need maintainer feedback?

Maintainer feedback requested

Anything else?

This does reject images that would previously have been accepted, but I believe these images are nonsensical. Also, it is not possible to modify the an existing image to be malformed in this way without breaking the signature.

Metadata

Metadata

Assignees

Labels

package:mdepkgpackage:ovmfpkgpackage:securitypkgpriority:mediumModerate impact. Should be prioritized over lower priority issues.state:needs-maintainer-feedbacktype:feature-requestA new feature proposal

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions