b9f070c2f2
Resolves: CVE-2024-45781 CVE-2024-45783 CVE-2024-45778 Resolves: CVE-2024-45775 CVE-2024-45780 CVE-2024-45774 Resolves: CVE-2025-0690 CVE-2025-1118 CVE-2024-45782 Resolves: CVE-2025-0624 CVE-2024-45779 CVE-2024-45776 Resolves: CVE-2025-0622 CVE-2025-0677 Resolves: #RHEL-80691 Resolves: #RHEL-80690 Resolves: #RHEL-80689 Resolves: #RHEL-80687 Resolves: #RHEL-80686 Signed-off-by: Leo Sandoval <lsandova@redhat.com> Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
57 lines
2.0 KiB
Diff
57 lines
2.0 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Alec Brown <alec.r.brown@oracle.com>
|
|
Date: Wed, 5 Feb 2025 22:04:08 +0000
|
|
Subject: [PATCH] loader/i386/bsd: Use safe math to avoid underflow
|
|
|
|
The operation kern_end - kern_start may underflow when we input it into
|
|
grub_relocator_alloc_chunk_addr() call. To avoid this we can use safe
|
|
math for this subtraction.
|
|
|
|
Fixes: CID 73845
|
|
|
|
Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
|
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
---
|
|
grub-core/loader/i386/bsd.c | 14 ++++++++++----
|
|
1 file changed, 10 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/grub-core/loader/i386/bsd.c b/grub-core/loader/i386/bsd.c
|
|
index 8075ac9b0..50f96ea7a 100644
|
|
--- a/grub-core/loader/i386/bsd.c
|
|
+++ b/grub-core/loader/i386/bsd.c
|
|
@@ -1341,6 +1341,7 @@ static grub_err_t
|
|
grub_bsd_load_elf (grub_elf_t elf, const char *filename)
|
|
{
|
|
grub_err_t err;
|
|
+ grub_size_t sz;
|
|
|
|
kern_end = 0;
|
|
kern_start = ~0;
|
|
@@ -1371,8 +1372,11 @@ grub_bsd_load_elf (grub_elf_t elf, const char *filename)
|
|
|
|
if (grub_errno)
|
|
return grub_errno;
|
|
- err = grub_relocator_alloc_chunk_addr (relocator, &ch,
|
|
- kern_start, kern_end - kern_start);
|
|
+
|
|
+ if (grub_sub (kern_end, kern_start, &sz))
|
|
+ return grub_error (GRUB_ERR_OUT_OF_RANGE, "underflow detected while determining size of kernel for relocator");
|
|
+
|
|
+ err = grub_relocator_alloc_chunk_addr (relocator, &ch, kern_start, sz);
|
|
if (err)
|
|
return err;
|
|
|
|
@@ -1432,8 +1436,10 @@ grub_bsd_load_elf (grub_elf_t elf, const char *filename)
|
|
{
|
|
grub_relocator_chunk_t ch;
|
|
|
|
- err = grub_relocator_alloc_chunk_addr (relocator, &ch, kern_start,
|
|
- kern_end - kern_start);
|
|
+ if (grub_sub (kern_end, kern_start, &sz))
|
|
+ return grub_error (GRUB_ERR_OUT_OF_RANGE, "underflow detected while determining size of kernel for relocator");
|
|
+
|
|
+ err = grub_relocator_alloc_chunk_addr (relocator, &ch, kern_start, sz);
|
|
if (err)
|
|
return err;
|
|
kern_chunk_src = get_virtual_current_address (ch);
|