pefile_digest_pe_contents() hashes each PE section using PointerToRawData
and SizeOfRawData from the section table. These fields are parsed from the
input image, but the per-section hashing path does not check that the
resulting range lies inside the supplied PE buffer before passing it to
crypto_shash_update().

A malformed image passed to kexec_file_load() can therefore make signature
verification read past the end of the PE buffer. Return -ELIBBAD for
out-of-range section data and guard hashed_bytes against unsigned wrap
before it is used by the trailing-data calculation.

Link: https://lore.kernel.org/keyrings/20260430173632.277436-3-bestswngs@gmail.com/
Fixes: af316fc442ef ("pefile: Digest the PE binary and compare to the PKCS#7 data")
Assisted-by: Codex:gpt-5-5-xhigh
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
---
 crypto/asymmetric_keys/verify_pefile.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/crypto/asymmetric_keys/verify_pefile.c b/crypto/asymmetric_keys/verify_pefile.c
index 1f3b227ba7f22..1405b76322cbd 100644
--- a/crypto/asymmetric_keys/verify_pefile.c
+++ b/crypto/asymmetric_keys/verify_pefile.c
@@ -292,6 +292,15 @@ static int pefile_digest_pe_contents(const void *pebuf, unsigned int pelen,
 		i = canon[loop];
 		if (ctx->secs[i].raw_data_size == 0)
 			continue;
+		if (ctx->secs[i].data_addr > pelen ||
+		    ctx->secs[i].raw_data_size > pelen - ctx->secs[i].data_addr) {
+			kfree(canon);
+			return -ELIBBAD;
+		}
+		if (ctx->secs[i].raw_data_size > UINT_MAX - hashed_bytes) {
+			kfree(canon);
+			return -ELIBBAD;
+		}
 		ret = crypto_shash_update(desc,
 					  pebuf + ctx->secs[i].data_addr,
 					  ctx->secs[i].raw_data_size);
-- 
2.53.0