nalika / rpms / grub2

Forked from rpms/grub2 2 years ago
Clone

Blame SOURCES/0277-envblk-Fix-buffer-overrun-when-attempting-to-shrink-.patch

5caed3
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
5caed3
From: Javier Martinez Canillas <javierm@redhat.com>
5caed3
Date: Tue, 12 May 2020 01:00:51 +0200
5caed3
Subject: [PATCH] envblk: Fix buffer overrun when attempting to shrink a
5caed3
 variable value
5caed3
MIME-Version: 1.0
5caed3
Content-Type: text/plain; charset=UTF-8
5caed3
Content-Transfer-Encoding: 8bit
5caed3
5caed3
If an existing variable is set with a value whose length is smaller than
5caed3
the current value, a memory corruption can happen due copying padding '#'
5caed3
characters outside of the environment block buffer.
5caed3
5caed3
This is caused by a wrong calculation of the previous free space position
5caed3
after moving backward the characters that followed the old variable value.
5caed3
5caed3
That position is calculated to fill the remaining of the buffer with the
5caed3
padding '#' characters. But since isn't calculated correctly, it can lead
5caed3
to copies outside of the buffer.
5caed3
5caed3
The issue can be reproduced by creating a variable with a large value and
5caed3
then try to set a new value that is much smaller:
5caed3
5caed3
$ grub2-editenv --version
5caed3
grub2-editenv (GRUB) 2.04
5caed3
5caed3
$ grub2-editenv env create
5caed3
5caed3
$ grub2-editenv env set a="$(for i in {1..500}; do var="b$var"; done; echo $var)"
5caed3
5caed3
$ wc -c env
5caed3
1024 grubenv
5caed3
5caed3
$ grub2-editenv env set a="$(for i in {1..50}; do var="b$var"; done; echo $var)"
5caed3
malloc(): corrupted top size
5caed3
Aborted (core dumped)
5caed3
5caed3
$ wc -c env
5caed3
0 grubenv
5caed3
5caed3
Resolves: rhbz#1761496
5caed3
5caed3
Reported-by: Renaud Métrich <rmetrich@redhat.com>
5caed3
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
5caed3
Patch-cc: Daniel Kiper <daniel.kiper@oracle.com>
5caed3
---
5caed3
 grub-core/lib/envblk.c | 2 +-
5caed3
 1 file changed, 1 insertion(+), 1 deletion(-)
5caed3
5caed3
diff --git a/grub-core/lib/envblk.c b/grub-core/lib/envblk.c
09e3cc
index 230e0e9d9..2e4e78b13 100644
5caed3
--- a/grub-core/lib/envblk.c
5caed3
+++ b/grub-core/lib/envblk.c
5caed3
@@ -143,7 +143,7 @@ grub_envblk_set (grub_envblk_t envblk, const char *name, const char *value)
5caed3
               /* Move the following characters backward, and fill the new
5caed3
                  space with harmless characters.  */
5caed3
               grub_memmove (p + vl, p + len, pend - (p + len));
5caed3
-              grub_memset (space + len - vl, '#', len - vl);
5caed3
+              grub_memset (space - (len - vl), '#', len - vl);
5caed3
             }
5caed3
           else
5caed3
             /* Move the following characters forward.  */