|
|
5caed3 |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
5caed3 |
From: Javier Martinez Canillas <javierm@redhat.com>
|
|
|
5caed3 |
Date: Tue, 12 May 2020 01:00:51 +0200
|
|
|
5caed3 |
Subject: [PATCH] envblk: Fix buffer overrun when attempting to shrink a
|
|
|
5caed3 |
variable value
|
|
|
5caed3 |
MIME-Version: 1.0
|
|
|
5caed3 |
Content-Type: text/plain; charset=UTF-8
|
|
|
5caed3 |
Content-Transfer-Encoding: 8bit
|
|
|
5caed3 |
|
|
|
5caed3 |
If an existing variable is set with a value whose length is smaller than
|
|
|
5caed3 |
the current value, a memory corruption can happen due copying padding '#'
|
|
|
5caed3 |
characters outside of the environment block buffer.
|
|
|
5caed3 |
|
|
|
5caed3 |
This is caused by a wrong calculation of the previous free space position
|
|
|
5caed3 |
after moving backward the characters that followed the old variable value.
|
|
|
5caed3 |
|
|
|
5caed3 |
That position is calculated to fill the remaining of the buffer with the
|
|
|
5caed3 |
padding '#' characters. But since isn't calculated correctly, it can lead
|
|
|
5caed3 |
to copies outside of the buffer.
|
|
|
5caed3 |
|
|
|
5caed3 |
The issue can be reproduced by creating a variable with a large value and
|
|
|
5caed3 |
then try to set a new value that is much smaller:
|
|
|
5caed3 |
|
|
|
5caed3 |
$ grub2-editenv --version
|
|
|
5caed3 |
grub2-editenv (GRUB) 2.04
|
|
|
5caed3 |
|
|
|
5caed3 |
$ grub2-editenv env create
|
|
|
5caed3 |
|
|
|
5caed3 |
$ grub2-editenv env set a="$(for i in {1..500}; do var="b$var"; done; echo $var)"
|
|
|
5caed3 |
|
|
|
5caed3 |
$ wc -c env
|
|
|
5caed3 |
1024 grubenv
|
|
|
5caed3 |
|
|
|
5caed3 |
$ grub2-editenv env set a="$(for i in {1..50}; do var="b$var"; done; echo $var)"
|
|
|
5caed3 |
malloc(): corrupted top size
|
|
|
5caed3 |
Aborted (core dumped)
|
|
|
5caed3 |
|
|
|
5caed3 |
$ wc -c env
|
|
|
5caed3 |
0 grubenv
|
|
|
5caed3 |
|
|
|
5caed3 |
Resolves: rhbz#1761496
|
|
|
5caed3 |
|
|
|
5caed3 |
Reported-by: Renaud Métrich <rmetrich@redhat.com>
|
|
|
5caed3 |
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
|
|
5caed3 |
Patch-cc: Daniel Kiper <daniel.kiper@oracle.com>
|
|
|
5caed3 |
---
|
|
|
5caed3 |
grub-core/lib/envblk.c | 2 +-
|
|
|
5caed3 |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
5caed3 |
|
|
|
5caed3 |
diff --git a/grub-core/lib/envblk.c b/grub-core/lib/envblk.c
|
|
|
09e3cc |
index 230e0e9d9..2e4e78b13 100644
|
|
|
5caed3 |
--- a/grub-core/lib/envblk.c
|
|
|
5caed3 |
+++ b/grub-core/lib/envblk.c
|
|
|
5caed3 |
@@ -143,7 +143,7 @@ grub_envblk_set (grub_envblk_t envblk, const char *name, const char *value)
|
|
|
5caed3 |
/* Move the following characters backward, and fill the new
|
|
|
5caed3 |
space with harmless characters. */
|
|
|
5caed3 |
grub_memmove (p + vl, p + len, pend - (p + len));
|
|
|
5caed3 |
- grub_memset (space + len - vl, '#', len - vl);
|
|
|
5caed3 |
+ grub_memset (space - (len - vl), '#', len - vl);
|
|
|
5caed3 |
}
|
|
|
5caed3 |
else
|
|
|
5caed3 |
/* Move the following characters forward. */
|