dcavalca / rpms / grub2

Forked from rpms/grub2 3 years ago
Clone

Blame SOURCES/0311-efilinux-Fix-integer-overflows-in-grub_cmd_initrd.patch

a4d572
From 0a9a828e88a2e14be684761afe582e7bb286676b Mon Sep 17 00:00:00 2001
a4d572
From: Colin Watson <cjwatson@debian.org>
a4d572
Date: Fri, 24 Jul 2020 17:18:09 +0100
a4d572
Subject: [PATCH 311/314] efilinux: Fix integer overflows in grub_cmd_initrd
a4d572
a4d572
These could be triggered by an extremely large number of arguments to
a4d572
the initrd command on 32-bit architectures, or a crafted filesystem with
a4d572
very large files on any architecture.
a4d572
a4d572
Signed-off-by: Colin Watson <cjwatson@debian.org>
a4d572
---
a4d572
 grub-core/loader/i386/efi/linux.c | 9 +++++++--
a4d572
 1 file changed, 7 insertions(+), 2 deletions(-)
a4d572
a4d572
diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
a4d572
index ea9f5134e67..ade7ab8f573 100644
a4d572
--- a/grub-core/loader/i386/efi/linux.c
a4d572
+++ b/grub-core/loader/i386/efi/linux.c
a4d572
@@ -28,6 +28,7 @@
a4d572
 #include <grub/efi/efi.h>
a4d572
 #include <grub/efi/linux.h>
a4d572
 #include <grub/tpm.h>
a4d572
+#include <grub/safemath.h>
a4d572
 
a4d572
 GRUB_MOD_LICENSE ("GPLv3+");
a4d572
 
a4d572
@@ -94,7 +95,7 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),
a4d572
       goto fail;
a4d572
     }
a4d572
 
a4d572
-  files = grub_zalloc (argc * sizeof (files[0]));
a4d572
+  files = grub_calloc (argc, sizeof (files[0]));
a4d572
   if (!files)
a4d572
     goto fail;
a4d572
 
a4d572
@@ -105,7 +106,11 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),
a4d572
       if (! files[i])
a4d572
         goto fail;
a4d572
       nfiles++;
a4d572
-      size += ALIGN_UP (grub_file_size (files[i]), 4);
a4d572
+      if (grub_add (size, ALIGN_UP (grub_file_size (files[i]), 4), &size))
a4d572
+	{
a4d572
+	  grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
a4d572
+	  goto fail;
a4d572
+	}
a4d572
     }
a4d572
 
a4d572
   initrd_mem = grub_efi_allocate_pages_max (0x3fffffff, BYTES_TO_PAGES(size));
a4d572
-- 
a4d572
2.26.2
a4d572