6eaa34fe07
- Resolves: CVE-2024-45779 CVE-2024-45778 CVE-2025-1118 - Resolves: CVE-2025-0677 CVE-2024-45782 CVE-2025-0690 - Resolves: CVE-2024-45783 CVE-2025-0624 CVE-2024-45776 - Resolves: CVE-2025-0622 CVE-2024-45774 CVE-2024-45775 - Resolves: CVE-2024-45781 CVE-2024-45780 - Resolves: #RHEL-79700 - Resolves: #RHEL-79341 - Resolves: #RHEL-79875 - Resolves: #RHEL-79849 - Resolves: #RHEL-79707 - Resolves: #RHEL-79857 - Resolves: #RHEL-79709 - Resolves: #RHEL-79846 - Resolves: #RHEL-75737 - Resolves: #RHEL-79713 - Resolves: #RHEL-73785 - Resolves: #RHEL-73787 - Resolves: #RHEL-79704 - Resolves: #RHEL-79702 Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
70 lines
2.0 KiB
Diff
70 lines
2.0 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Jonathan Bar Or <jonathanbaror@gmail.com>
|
|
Date: Thu, 23 Jan 2025 19:17:05 +0100
|
|
Subject: [PATCH] commands/read: Fix an integer overflow when supplying more
|
|
than 2^31 characters
|
|
|
|
The grub_getline() function currently has a signed integer variable "i"
|
|
that can be overflown when user supplies more than 2^31 characters.
|
|
It results in a memory corruption of the allocated line buffer as well
|
|
as supplying large negative values to grub_realloc().
|
|
|
|
Fixes: CVE-2025-0690
|
|
|
|
Reported-by: Jonathan Bar Or <jonathanbaror@gmail.com>
|
|
Signed-off-by: Jonathan Bar Or <jonathanbaror@gmail.com>
|
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
---
|
|
grub-core/commands/read.c | 19 +++++++++++++++----
|
|
1 file changed, 15 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/grub-core/commands/read.c b/grub-core/commands/read.c
|
|
index 597c90706..8d72e45c9 100644
|
|
--- a/grub-core/commands/read.c
|
|
+++ b/grub-core/commands/read.c
|
|
@@ -25,6 +25,7 @@
|
|
#include <grub/types.h>
|
|
#include <grub/extcmd.h>
|
|
#include <grub/i18n.h>
|
|
+#include <grub/safemath.h>
|
|
|
|
GRUB_MOD_LICENSE ("GPLv3+");
|
|
|
|
@@ -37,13 +38,14 @@ static const struct grub_arg_option options[] =
|
|
static char *
|
|
grub_getline (int silent)
|
|
{
|
|
- int i;
|
|
+ grub_size_t i;
|
|
char *line;
|
|
char *tmp;
|
|
int c;
|
|
+ grub_size_t alloc_size;
|
|
|
|
i = 0;
|
|
- line = grub_malloc (1 + i + sizeof('\0'));
|
|
+ line = grub_malloc (1 + sizeof('\0'));
|
|
if (! line)
|
|
return NULL;
|
|
|
|
@@ -59,8 +61,17 @@ grub_getline (int silent)
|
|
line[i] = (char) c;
|
|
if (!silent)
|
|
grub_printf ("%c", c);
|
|
- i++;
|
|
- tmp = grub_realloc (line, 1 + i + sizeof('\0'));
|
|
+ if (grub_add (i, 1, &i))
|
|
+ {
|
|
+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
|
|
+ return NULL;
|
|
+ }
|
|
+ if (grub_add (i, 1 + sizeof('\0'), &alloc_size))
|
|
+ {
|
|
+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
|
|
+ return NULL;
|
|
+ }
|
|
+ tmp = grub_realloc (line, alloc_size);
|
|
if (! tmp)
|
|
{
|
|
grub_free (line);
|