mirror of
				https://git.proxmox.com/git/grub2
				synced 2025-10-26 00:01:27 +00:00 
			
		
		
		
	 3f05d693d1
			
		
	
	
		3f05d693d1
		
	
	
	
	
		
			
			This attempts to fix the places where we do the following where
arithmetic_expr may include unvalidated data:
  X = grub_malloc(arithmetic_expr);
It accomplishes this by doing the arithmetic ahead of time using grub_add(),
grub_sub(), grub_mul() and testing for overflow before proceeding.
Among other issues, this fixes:
  - allocation of integer overflow in grub_video_bitmap_create()
    reported by Chris Coulson,
  - allocation of integer overflow in grub_png_decode_image_header()
    reported by Chris Coulson,
  - allocation of integer overflow in grub_squash_read_symlink()
    reported by Chris Coulson,
  - allocation of integer overflow in grub_ext2_read_symlink()
    reported by Chris Coulson,
  - allocation of integer overflow in read_section_as_string()
    reported by Chris Coulson.
Fixes: CVE-2020-14309, CVE-2020-14310, CVE-2020-14311
Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
		
	
			
		
			
				
	
	
		
			166 lines
		
	
	
		
			3.3 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
			
		
		
	
	
			166 lines
		
	
	
		
			3.3 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
| /* argv.c - methods for constructing argument vector */
 | |
| /*
 | |
|  *  GRUB  --  GRand Unified Bootloader
 | |
|  *  Copyright (C) 2010  Free Software Foundation, Inc.
 | |
|  *
 | |
|  *  GRUB is free software: you can redistribute it and/or modify
 | |
|  *  it under the terms of the GNU General Public License as published by
 | |
|  *  the Free Software Foundation, either version 3 of the License, or
 | |
|  *  (at your option) any later version.
 | |
|  *
 | |
|  *  GRUB is distributed in the hope that it will be useful,
 | |
|  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 | |
|  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 | |
|  *  GNU General Public License for more details.
 | |
|  *
 | |
|  *  You should have received a copy of the GNU General Public License
 | |
|  *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
 | |
|  */
 | |
| 
 | |
| #include <grub/mm.h>
 | |
| #include <grub/misc.h>
 | |
| #include <grub/script_sh.h>
 | |
| #include <grub/safemath.h>
 | |
| 
 | |
| /* Return nearest power of two that is >= v.  */
 | |
| static unsigned
 | |
| round_up_exp (unsigned v)
 | |
| {
 | |
|   COMPILE_TIME_ASSERT (sizeof (v) == 4);
 | |
| 
 | |
|   v--;
 | |
|   v |= v >> 1;
 | |
|   v |= v >> 2;
 | |
|   v |= v >> 4;
 | |
|   v |= v >> 8;
 | |
|   v |= v >> 16;
 | |
| 
 | |
|   v++;
 | |
|   v += (v == 0);
 | |
| 
 | |
|   return v;
 | |
| }
 | |
| 
 | |
| void
 | |
| grub_script_argv_free (struct grub_script_argv *argv)
 | |
| {
 | |
|   unsigned i;
 | |
| 
 | |
|   if (argv->args)
 | |
|     {
 | |
|       for (i = 0; i < argv->argc; i++)
 | |
| 	grub_free (argv->args[i]);
 | |
| 
 | |
|       grub_free (argv->args);
 | |
|     }
 | |
| 
 | |
|   argv->argc = 0;
 | |
|   argv->args = 0;
 | |
|   argv->script = 0;
 | |
| }
 | |
| 
 | |
| /* Make argv from argc, args pair.  */
 | |
| int
 | |
| grub_script_argv_make (struct grub_script_argv *argv, int argc, char **args)
 | |
| {
 | |
|   int i;
 | |
|   struct grub_script_argv r = { 0, 0, 0 };
 | |
| 
 | |
|   for (i = 0; i < argc; i++)
 | |
|     if (grub_script_argv_next (&r)
 | |
| 	|| grub_script_argv_append (&r, args[i], grub_strlen (args[i])))
 | |
|       {
 | |
| 	grub_script_argv_free (&r);
 | |
| 	return 1;
 | |
|       }
 | |
|   *argv = r;
 | |
|   return 0;
 | |
| }
 | |
| 
 | |
| /* Prepare for next argc.  */
 | |
| int
 | |
| grub_script_argv_next (struct grub_script_argv *argv)
 | |
| {
 | |
|   char **p = argv->args;
 | |
|   grub_size_t sz;
 | |
| 
 | |
|   if (argv->args && argv->argc && argv->args[argv->argc - 1] == 0)
 | |
|     return 0;
 | |
| 
 | |
|   if (grub_add (argv->argc, 2, &sz) ||
 | |
|       grub_mul (sz, sizeof (char *), &sz))
 | |
|     return 1;
 | |
| 
 | |
|   p = grub_realloc (p, round_up_exp (sz));
 | |
|   if (! p)
 | |
|     return 1;
 | |
| 
 | |
|   argv->argc++;
 | |
|   argv->args = p;
 | |
| 
 | |
|   if (argv->argc == 1)
 | |
|     argv->args[0] = 0;
 | |
|   argv->args[argv->argc] = 0;
 | |
|   return 0;
 | |
| }
 | |
| 
 | |
| /* Append `s' to the last argument.  */
 | |
| int
 | |
| grub_script_argv_append (struct grub_script_argv *argv, const char *s,
 | |
| 			 grub_size_t slen)
 | |
| {
 | |
|   grub_size_t a;
 | |
|   char *p = argv->args[argv->argc - 1];
 | |
|   grub_size_t sz;
 | |
| 
 | |
|   if (! s)
 | |
|     return 0;
 | |
| 
 | |
|   a = p ? grub_strlen (p) : 0;
 | |
| 
 | |
|   if (grub_add (a, slen, &sz) ||
 | |
|       grub_add (sz, 1, &sz) ||
 | |
|       grub_mul (sz, sizeof (char), &sz))
 | |
|     return 1;
 | |
| 
 | |
|   p = grub_realloc (p, round_up_exp (sz));
 | |
|   if (! p)
 | |
|     return 1;
 | |
| 
 | |
|   grub_memcpy (p + a, s, slen);
 | |
|   p[a+slen] = 0;
 | |
|   argv->args[argv->argc - 1] = p;
 | |
| 
 | |
|   return 0;
 | |
| }
 | |
| 
 | |
| /* Split `s' and append words as multiple arguments.  */
 | |
| int
 | |
| grub_script_argv_split_append (struct grub_script_argv *argv, const char *s)
 | |
| {
 | |
|   const char *p;
 | |
|   int errors = 0;
 | |
| 
 | |
|   if (! s)
 | |
|     return 0;
 | |
| 
 | |
|   while (*s && grub_isspace (*s))
 | |
|     s++;
 | |
| 
 | |
|   while (! errors && *s)
 | |
|     {
 | |
|       p = s;
 | |
|       while (*s && ! grub_isspace (*s))
 | |
| 	s++;
 | |
| 
 | |
|       errors += grub_script_argv_append (argv, p, s - p);
 | |
| 
 | |
|       while (*s && grub_isspace (*s))
 | |
| 	s++;
 | |
| 
 | |
|       if (*s)
 | |
| 	errors += grub_script_argv_next (argv);
 | |
|     }
 | |
|   return errors;
 | |
| }
 |