nalika / rpms / grub2

Forked from rpms/grub2 2 years ago
Clone

Blame SOURCES/0277-envblk-Fix-buffer-overrun-when-attempting-to-shrink-.patch

964c53
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
964c53
From: Javier Martinez Canillas <javierm@redhat.com>
964c53
Date: Tue, 12 May 2020 01:00:51 +0200
964c53
Subject: [PATCH] envblk: Fix buffer overrun when attempting to shrink a
964c53
 variable value
964c53
MIME-Version: 1.0
964c53
Content-Type: text/plain; charset=UTF-8
964c53
Content-Transfer-Encoding: 8bit
964c53
964c53
If an existing variable is set with a value whose length is smaller than
964c53
the current value, a memory corruption can happen due copying padding '#'
964c53
characters outside of the environment block buffer.
964c53
964c53
This is caused by a wrong calculation of the previous free space position
964c53
after moving backward the characters that followed the old variable value.
964c53
964c53
That position is calculated to fill the remaining of the buffer with the
964c53
padding '#' characters. But since isn't calculated correctly, it can lead
964c53
to copies outside of the buffer.
964c53
964c53
The issue can be reproduced by creating a variable with a large value and
964c53
then try to set a new value that is much smaller:
964c53
964c53
$ grub2-editenv --version
964c53
grub2-editenv (GRUB) 2.04
964c53
964c53
$ grub2-editenv env create
964c53
964c53
$ grub2-editenv env set a="$(for i in {1..500}; do var="b$var"; done; echo $var)"
964c53
964c53
$ wc -c env
964c53
1024 grubenv
964c53
964c53
$ grub2-editenv env set a="$(for i in {1..50}; do var="b$var"; done; echo $var)"
964c53
malloc(): corrupted top size
964c53
Aborted (core dumped)
964c53
964c53
$ wc -c env
964c53
0 grubenv
964c53
964c53
Resolves: rhbz#1761496
964c53
964c53
Reported-by: Renaud Métrich <rmetrich@redhat.com>
964c53
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
964c53
Patch-cc: Daniel Kiper <daniel.kiper@oracle.com>
964c53
---
964c53
 grub-core/lib/envblk.c | 2 +-
964c53
 1 file changed, 1 insertion(+), 1 deletion(-)
964c53
964c53
diff --git a/grub-core/lib/envblk.c b/grub-core/lib/envblk.c
964c53
index 230e0e9d9ab..2e4e78b132d 100644
964c53
--- a/grub-core/lib/envblk.c
964c53
+++ b/grub-core/lib/envblk.c
964c53
@@ -143,7 +143,7 @@ grub_envblk_set (grub_envblk_t envblk, const char *name, const char *value)
964c53
               /* Move the following characters backward, and fill the new
964c53
                  space with harmless characters.  */
964c53
               grub_memmove (p + vl, p + len, pend - (p + len));
964c53
-              grub_memset (space + len - vl, '#', len - vl);
964c53
+              grub_memset (space - (len - vl), '#', len - vl);
964c53
             }
964c53
           else
964c53
             /* Move the following characters forward.  */