Fix a segfault in grub2-editenv when attempting to shrink a variable

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-05-12 20:16:59 +02:00 · 2020-05-12 20:16:59 +02:00 · 107dc9a693
commit 107dc9a693
parent b914a7e168
3 changed files with 65 additions and 1 deletions
--- a/0213-envblk-Fix-buffer-overrun-when-attempting-to-shrink-.patch
+++ b/0213-envblk-Fix-buffer-overrun-when-attempting-to-shrink-.patch
@ -0,0 +1,60 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Tue, 12 May 2020 01:00:51 +0200
+Subject: [PATCH] envblk: Fix buffer overrun when attempting to shrink a
+ variable value
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If an existing variable is set with a value whose length is smaller than
+the current value, a memory corruption can happen due copying padding '#'
+characters outside of the environment block buffer.
+
+This is caused by a wrong calculation of the previous free space position
+after moving backward the characters that followed the old variable value.
+
+That position is calculated to fill the remaining of the buffer with the
+padding '#' characters. But since isn't calculated correctly, it can lead
+to copies outside of the buffer.
+
+The issue can be reproduced by creating a variable with a large value and
+then try to set a new value that is much smaller:
+
+$ grub2-editenv --version
+grub2-editenv (GRUB) 2.04
+
+$ grub2-editenv env create
+
+$ grub2-editenv env set a="$(for i in {1..500}; do var="b$var"; done; echo $var)"
+
+$ wc -c env
+1024 grubenv
+
+$ grub2-editenv env set a="$(for i in {1..50}; do var="b$var"; done; echo $var)"
+malloc(): corrupted top size
+Aborted (core dumped)
+
+$ wc -c env
+0 grubenv
+
+Reported-by: Renaud Métrich <rmetrich@redhat.com>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Patch-cc: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/lib/envblk.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/lib/envblk.c b/grub-core/lib/envblk.c
+index f89d86d4e8d..874506da169 100644
+--- a/grub-core/lib/envblk.c
+++ b/grub-core/lib/envblk.c
+@@ -143,7 +143,7 @@ grub_envblk_set (grub_envblk_t envblk, const char *name, const char *value)
+               /* Move the following characters backward, and fill the new
+                  space with harmless characters.  */
+               grub_memmove (p + vl, p + len, pend - (p + len));
+-              grub_memset (space + len - vl, '#', len - vl);
+              grub_memset (space - (len - vl), '#', len - vl);
+             }
+           else
+             /* Move the following characters forward.  */
--- a/grub.patches
+++ b/grub.patches
@ -210,3 +210,4 @@ Patch0209: 0209-10_linux.in-Enable-BLS-configuration-if-new-kernel-p.patch
 Patch0210: 0210-efi-Set-image-base-address-before-jumping-to-the-PE-.patch
 Patch0211: 0211-blscfg-Lookup-default_kernelopts-variable-as-fallbac.patch
 Patch0212: 0212-10_linux.in-fix-early-exit-due-error-when-reading-pe.patch
+Patch0213: 0213-envblk-Fix-buffer-overrun-when-attempting-to-shrink-.patch
--- a/grub2.spec
+++ b/grub2.spec
@ -9,7 +9,7 @@
 Name:		grub2
 Epoch:		1
 Version:	2.04
-Release:	15%{?dist}
+Release:	16%{?dist}
 Summary:	Bootloader with support for Linux, Multiboot and more
 License:	GPLv3+
 URL:		http://www.gnu.org/software/grub/
@ -504,6 +504,9 @@ rm -r /boot/grub2.tmp/ || :
 %endif

 %changelog
+* Tue May 12 2020 Javier Martinez Canillas <javierm@redhat.com> - 2.04-16
+- Fix a segfault in grub2-editenv when attempting to shrink a variable
+
 * Thu Apr 30 2020 Javier Martinez Canillas <javierm@redhat.com> - 2.04-15
 - blscfg: Lookup default_kernelopts variable as fallback for options
  Related: rhbz#1765297