rpms/grub2
6
0
Fork 0
Code Issues Pull Requests Releases Activity
d8b3b9c701
grub2/0632-commands-read-Fix-an-integer-overflow-when-supplying.patch
Leo Sandoval b209619f5b Add Several CVE fixes 
Resolves CVE-2024-45775 CVE-2025-0624
Resolves: #RHEL-75735
Resolves: #RHEL-79837

Signed-off-by: Leo Sandoval <lsandova@redhat.com>
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2025-02-18 12:01:18 -06:00

70 lines
2.0 KiB
Diff
Raw Blame History

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Jonathan Bar Or <jonathanbaror@gmail.com>
Date: Thu, 23 Jan 2025 19:17:05 +0100
Subject: [PATCH] commands/read: Fix an integer overflow when supplying more
than 2^31 characters
The grub_getline() function currently has a signed integer variable "i"
that can be overflown when user supplies more than 2^31 characters.
It results in a memory corruption of the allocated line buffer as well
as supplying large negative values to grub_realloc().
Fixes: CVE-2025-0690
Reported-by: Jonathan Bar Or <jonathanbaror@gmail.com>
Signed-off-by: Jonathan Bar Or <jonathanbaror@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/commands/read.c | 20 ++++++++++++++++----
1 file changed, 16 insertions(+), 4 deletions(-)
diff --git a/grub-core/commands/read.c b/grub-core/commands/read.c
index fe3e88b15..7b6735b79 100644
--- a/grub-core/commands/read.c
+++ b/grub-core/commands/read.c
@@ -25,19 +25,21 @@
#include <grub/types.h>
#include <grub/command.h>
#include <grub/i18n.h>
+#include <grub/safemath.h>
GRUB_MOD_LICENSE ("GPLv3+");
static char *
grub_getline (void)
{
- int i;
+ grub_size_t i;
char *line;
char *tmp;
char c;
+ grub_size_t alloc_size;
i = 0;
- line = grub_malloc (1 + i + sizeof('\0'));
+ line = grub_malloc (1 + sizeof('\0'));
if (! line)
return NULL;
@@ -50,8 +52,18 @@ grub_getline (void)
line[i] = c;
if (grub_isprint (c))
grub_printf ("%c", c);
- i++;
- tmp = grub_realloc (line, 1 + i + sizeof('\0'));
+ if (grub_add (i, 1, &i))
+ {
+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
+ return NULL;
+ }
+ if (grub_add (i, 1 + sizeof('\0'), &alloc_size))
+ {
+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
+ return NULL;
+ }
+ tmp = grub_realloc (line, alloc_size);
+
if (! tmp)
{
grub_free (line);
Reference in New Issue View Git Blame Copy Permalink