If huft_build() fails, gzio->tl or gzio->td could contain pointers that
are no longer valid. Zero them out.
This prevents a double free when grub_gzio_close() comes through and
attempts to free them again.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
In huft_build(), "v" is a table of values in order of bit length.
The code later (when setting up table entries in "r") assumes that all
elements of this array corresponding to a code are initialized and less
than N_MAX. However, it doesn't enforce this.
With sufficiently manipulated inputs (e.g. from fuzzing), there can be
elements of "v" that are not filled. Therefore a lookup into "e" or "d"
will use an uninitialized value. This can lead to an invalid/OOB read on
those values, often leading to a crash.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
init_dynamic_block() didn't clean up gzio->tl and td in some error
paths. This left td pointing to part of tl. Then in grub_gzio_close(),
when tl was freed the storage for td would also be freed. The code then
attempts to free td explicitly, performing a UAF and then a double free.
Explicitly clean up tl and td in the error paths.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This is an ugly fix that doesn't address why gzio->tl comes to be NULL.
However, it seems to be sufficient to patch up a bunch of NULL derefs.
It would be good to revisit this in future and see if we can have
a cleaner solution that addresses some of the causes of the unexpected
NULL pointers.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This modifies most of the places we do some form of:
X = malloc(Y * Z);
to use calloc(Y, Z) instead.
Among other issues, this fixes:
- allocation of integer overflow in grub_png_decode_image_header()
reported by Chris Coulson,
- allocation of integer overflow in luks_recover_key()
reported by Chris Coulson,
- allocation of integer overflow in grub_lvm_detect()
reported by Chris Coulson.
Fixes: CVE-2020-14308
Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Let's provide file type info to the I/O layer. This way verifiers
framework and its users will be able to differentiate files and verify
only required ones.
This is preparatory patch.
Signed-off-by: Vladimir Serbinenko <phcoder@gmail.com>
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Ross Philipson <ross.philipson@oracle.com>
To reproduce the problem, make sure you have a GPG public key available, build and install GRUB:
grub-install --debug --debug-image="all" --pubkey=/boot/pubkey.gpg --modules="serial terminfo gzio search search_label search_fs_uuid search_fs_file linux vbe video_fb video mmap relocator verify gcry_rsa gcry_dsa gcry_sha256 hashsum gcry_sha1 mpi echo loadenv boottime" /dev/sda
Sign all the files in /boot/grub/* and reboot.
'make check' results identical before and after this change.
TESTED: In a QEMU VM using an i386 target.
even more important testing by Colin.
* Makefile.util.def (libgrubmods.a): Add crc.c and gzio.c
* grub-core/Makefile.core.def (btrfs): Add crc.c.
* grub-core/fs/btrfs.c: Stub replaced with real implementation.
* grub-core/io/gzio.c (grub_gzio): New fields mem_input_size,
mem_input_off and mem_input. All users updated to accept in-RAM input.
(gzio_seek): New function.
(test_zlib_header): Likewise.
(grub_gzio_read): Likewise.
(grub_zlib_decompress): Likewise.
* grub-core/kern/emu/getroot.c (grub_find_root_device_from_mountinfo):
Accept partial and non-virtual mounts.
(grub_guess_root_device): Do rescanning after device_from_mountinfo to
avoid receiving /dev/dm-X as device.
* grub-core/kern/emu/misc.c (grub_make_system_path_relative_to_its_root):
Handle bind and partial mounts.
* grub-core/lib/crc.c: New file.
* include/grub/deflate.h: Likewise.
* include/grub/emu/misc.h (grub_find_root_device_from_mountinfo): New
proto.
* include/grub/lib/crc.h: New file.
used e.g. for initrd or modules. Moreover gzip handling of not
easily seekable files is buggy. Disable unknown file size for now. May
be inefficient but works.
* grub-core/io/gzio.c (test_header): Always retrieve the file size.
* grub-core/io/xzio.c (grub_xzio_open): Likewise.
(grub_file_seekable): New inline function.
* grub-core/io/gzio.c (test_header): Don't test end magic if file isn't
easily seekable.
(grub_gzio_open): Set not_easly_seekable.
* grub-core/fs/i386/pc/pxe.c (grub_pxefs_open): Set not_easily_seekable.
* grub-core/io/bufio.c (grub_bufio_open): Propagate not_easily_seekable.
