dcavalca / rpms / grub2

Forked from rpms/grub2 3 years ago
Clone

Blame SOURCES/0422-kern-misc-Add-function-to-check-printf-format-agains.patch

9723a8
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
9723a8
From: Thomas Frauendorfer | Miray Software <tf@miray.de>
9723a8
Date: Thu, 4 Feb 2021 19:02:33 +0100
9723a8
Subject: [PATCH] kern/misc: Add function to check printf() format against
9723a8
 expected format
9723a8
9723a8
The grub_printf_fmt_check() function parses the arguments of an untrusted
9723a8
printf() format and an expected printf() format and then compares the
9723a8
arguments counts and arguments types. The arguments count in the untrusted
9723a8
format string must be less or equal to the arguments count in the expected
9723a8
format string and both arguments types must match.
9723a8
9723a8
To do this the parse_printf_arg_fmt() helper function is extended in the
9723a8
following way:
9723a8
9723a8
  1. Add a return value to report errors to the grub_printf_fmt_check().
9723a8
9723a8
  2. Add the fmt_check argument to enable stricter format verification:
9723a8
     - the function expects that arguments definitions are always
9723a8
       terminated by a supported conversion specifier.
9723a8
     - positional parameters, "$", are not allowed, as they cannot be
9723a8
       validated correctly with the current implementation. For example
9723a8
       "%s%1$d" would assign the first args entry twice while leaving the
9723a8
       second one unchanged.
9723a8
     - Return an error if preallocated space in args is too small and
9723a8
       allocation fails for the needed size. The grub_printf_fmt_check()
9723a8
       should verify all arguments. So, if validation is not possible for
9723a8
       any reason it should return an error.
9723a8
     This also adds a case entry to handle "%%", which is the escape
9723a8
     sequence to print "%" character.
9723a8
9723a8
  3. Add the max_args argument to check for the maximum allowed arguments
9723a8
     count in a printf() string. This should be set to the arguments count
9723a8
     of the expected format. Then the parse_printf_arg_fmt() function will
9723a8
     return an error if the arguments count is exceeded.
9723a8
9723a8
The two additional arguments allow us to use parse_printf_arg_fmt() in
9723a8
printf() and grub_printf_fmt_check() calls.
9723a8
9723a8
When parse_printf_arg_fmt() is used by grub_printf_fmt_check() the
9723a8
function parse user provided untrusted format string too. So, in
9723a8
that case it is better to be too strict than too lenient.
9723a8
9723a8
Signed-off-by: Thomas Frauendorfer | Miray Software <tf@miray.de>
9723a8
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
9723a8
---
9723a8
 grub-core/kern/misc.c | 82 ++++++++++++++++++++++++++++++++++++++++++++++++---
9723a8
 include/grub/misc.h   | 16 ++++++++++
9723a8
 2 files changed, 94 insertions(+), 4 deletions(-)
9723a8
9723a8
diff --git a/grub-core/kern/misc.c b/grub-core/kern/misc.c
9723a8
index 9e2a237b118..f56b5d2034e 100644
9723a8
--- a/grub-core/kern/misc.c
9723a8
+++ b/grub-core/kern/misc.c
9723a8
@@ -678,8 +678,26 @@ grub_lltoa (char *str, int c, unsigned long long n)
9723a8
   return p;
9723a8
 }
9723a8
 
9723a8
-static void
9723a8
-parse_printf_arg_fmt (const char *fmt0, struct printf_args *args)
9723a8
+/*
9723a8
+ * Parse printf() fmt0 string into args arguments.
9723a8
+ *
9723a8
+ * The parsed arguments are either used by a printf() function to format the fmt0
9723a8
+ * string or they are used to compare a format string from an untrusted source
9723a8
+ * against a format string with expected arguments.
9723a8
+ *
9723a8
+ * When the fmt_check is set to !0, e.g. 1, then this function is executed in
9723a8
+ * printf() format check mode. This enforces stricter rules for parsing the
9723a8
+ * fmt0 to limit exposure to possible errors in printf() handling. It also
9723a8
+ * disables positional parameters, "$", because some formats, e.g "%s%1$d",
9723a8
+ * cannot be validated with the current implementation.
9723a8
+ *
9723a8
+ * The max_args allows to set a maximum number of accepted arguments. If the fmt0
9723a8
+ * string defines more arguments than the max_args then the parse_printf_arg_fmt()
9723a8
+ * function returns an error. This is currently used for format check only.
9723a8
+ */
9723a8
+static grub_err_t
9723a8
+parse_printf_arg_fmt (const char *fmt0, struct printf_args *args,
9723a8
+		      int fmt_check, grub_size_t max_args)
9723a8
 {
9723a8
   const char *fmt;
9723a8
   char c;
9723a8
@@ -706,7 +724,12 @@ parse_printf_arg_fmt (const char *fmt0, struct printf_args *args)
9723a8
 	fmt++;
9723a8
 
9723a8
       if (*fmt == '$')
9723a8
-	fmt++;
9723a8
+	{
9723a8
+	  if (fmt_check)
9723a8
+	    return grub_error (GRUB_ERR_BAD_ARGUMENT,
9723a8
+			       "positional arguments are not supported");
9723a8
+	  fmt++;
9723a8
+	}
9723a8
 
9723a8
       if (*fmt =='-')
9723a8
 	fmt++;
9723a8
@@ -738,9 +761,19 @@ parse_printf_arg_fmt (const char *fmt0, struct printf_args *args)
9723a8
 	case 's':
9723a8
 	  args->count++;
9723a8
 	  break;
9723a8
+	case '%':
9723a8
+	  /* "%%" is the escape sequence to output "%". */
9723a8
+	  break;
9723a8
+	default:
9723a8
+	  if (fmt_check)
9723a8
+	    return grub_error (GRUB_ERR_BAD_ARGUMENT, "unexpected format");
9723a8
+	  break;
9723a8
 	}
9723a8
     }
9723a8
 
9723a8
+  if (fmt_check && args->count > max_args)
9723a8
+    return grub_error (GRUB_ERR_BAD_ARGUMENT, "too many arguments");
9723a8
+
9723a8
   if (args->count <= ARRAY_SIZE (args->prealloc))
9723a8
     args->ptr = args->prealloc;
9723a8
   else
9723a8
@@ -748,6 +781,9 @@ parse_printf_arg_fmt (const char *fmt0, struct printf_args *args)
9723a8
       args->ptr = grub_calloc (args->count, sizeof (args->ptr[0]));
9723a8
       if (!args->ptr)
9723a8
 	{
9723a8
+	  if (fmt_check)
9723a8
+	    return grub_errno;
9723a8
+
9723a8
 	  grub_errno = GRUB_ERR_NONE;
9723a8
 	  args->ptr = args->prealloc;
9723a8
 	  args->count = ARRAY_SIZE (args->prealloc);
9723a8
@@ -839,6 +875,8 @@ parse_printf_arg_fmt (const char *fmt0, struct printf_args *args)
9723a8
 	  break;
9723a8
 	}
9723a8
     }
9723a8
+
9723a8
+  return GRUB_ERR_NONE;
9723a8
 }
9723a8
 
9723a8
 static void
9723a8
@@ -846,7 +884,7 @@ parse_printf_args (const char *fmt0, struct printf_args *args, va_list args_in)
9723a8
 {
9723a8
   grub_size_t n;
9723a8
 
9723a8
-  parse_printf_arg_fmt (fmt0, args);
9723a8
+  parse_printf_arg_fmt (fmt0, args, 0, 0);
9723a8
 
9723a8
   for (n = 0; n < args->count; n++)
9723a8
     switch (args->ptr[n].type)
9723a8
@@ -1154,6 +1192,42 @@ grub_xasprintf (const char *fmt, ...)
9723a8
   return ret;
9723a8
 }
9723a8
 
9723a8
+grub_err_t
9723a8
+grub_printf_fmt_check (const char *fmt, const char *fmt_expected)
9723a8
+{
9723a8
+  struct printf_args args_expected, args_fmt;
9723a8
+  grub_err_t ret;
9723a8
+  grub_size_t n;
9723a8
+
9723a8
+  if (fmt == NULL || fmt_expected == NULL)
9723a8
+    return grub_error (GRUB_ERR_BAD_ARGUMENT, "invalid format");
9723a8
+
9723a8
+  ret = parse_printf_arg_fmt (fmt_expected, &args_expected, 1, GRUB_SIZE_MAX);
9723a8
+  if (ret != GRUB_ERR_NONE)
9723a8
+    return ret;
9723a8
+
9723a8
+  /* Limit parsing to the number of expected arguments. */
9723a8
+  ret = parse_printf_arg_fmt (fmt, &args_fmt, 1, args_expected.count);
9723a8
+  if (ret != GRUB_ERR_NONE)
9723a8
+    {
9723a8
+      free_printf_args (&args_expected);
9723a8
+      return ret;
9723a8
+    }
9723a8
+
9723a8
+  for (n = 0; n < args_fmt.count; n++)
9723a8
+    if (args_fmt.ptr[n].type != args_expected.ptr[n].type)
9723a8
+     {
9723a8
+	ret = grub_error (GRUB_ERR_BAD_ARGUMENT, "arguments types do not match");
9723a8
+	break;
9723a8
+     }
9723a8
+
9723a8
+  free_printf_args (&args_expected);
9723a8
+  free_printf_args (&args_fmt);
9723a8
+
9723a8
+  return ret;
9723a8
+}
9723a8
+
9723a8
+
9723a8
 /* Abort GRUB. This function does not return.  */
9723a8
 static inline void __attribute__ ((noreturn))
9723a8
 grub_abort (void)
9723a8
diff --git a/include/grub/misc.h b/include/grub/misc.h
9723a8
index 1258ec6bbf3..b1cbb4a51bc 100644
9723a8
--- a/include/grub/misc.h
9723a8
+++ b/include/grub/misc.h
9723a8
@@ -487,6 +487,22 @@ grub_error_load (const struct grub_error_saved *save)
9723a8
   grub_errno = save->grub_errno;
9723a8
 }
9723a8
 
9723a8
+/*
9723a8
+ * grub_printf_fmt_checks() a fmt string for printf() against an expected
9723a8
+ * format. It is intended for cases where the fmt string could come from
9723a8
+ * an outside source and cannot be trusted.
9723a8
+ *
9723a8
+ * While expected fmt accepts a printf() format string it should be kept
9723a8
+ * as simple as possible. The printf() format strings with positional
9723a8
+ * parameters are NOT accepted, neither for fmt nor for fmt_expected.
9723a8
+ *
9723a8
+ * The fmt is accepted if it has equal or less arguments than fmt_expected
9723a8
+ * and if the type of all arguments match.
9723a8
+ *
9723a8
+ * Returns GRUB_ERR_NONE if fmt is acceptable.
9723a8
+ */
9723a8
+grub_err_t EXPORT_FUNC (grub_printf_fmt_check) (const char *fmt, const char *fmt_expected);
9723a8
+
9723a8
 #if BOOT_TIME_STATS
9723a8
 struct grub_boot_time
9723a8
 {