|
|
3fa14a |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
3fa14a |
From: Javier Martinez Canillas <javierm@redhat.com>
|
|
|
3fa14a |
Date: Tue, 12 May 2020 01:00:51 +0200
|
|
|
3fa14a |
Subject: [PATCH] envblk: Fix buffer overrun when attempting to shrink a
|
|
|
3fa14a |
variable value
|
|
|
3fa14a |
MIME-Version: 1.0
|
|
|
3fa14a |
Content-Type: text/plain; charset=UTF-8
|
|
|
3fa14a |
Content-Transfer-Encoding: 8bit
|
|
|
3fa14a |
|
|
|
3fa14a |
If an existing variable is set with a value whose length is smaller than
|
|
|
3fa14a |
the current value, a memory corruption can happen due copying padding '#'
|
|
|
3fa14a |
characters outside of the environment block buffer.
|
|
|
3fa14a |
|
|
|
3fa14a |
This is caused by a wrong calculation of the previous free space position
|
|
|
3fa14a |
after moving backward the characters that followed the old variable value.
|
|
|
3fa14a |
|
|
|
3fa14a |
That position is calculated to fill the remaining of the buffer with the
|
|
|
3fa14a |
padding '#' characters. But since isn't calculated correctly, it can lead
|
|
|
3fa14a |
to copies outside of the buffer.
|
|
|
3fa14a |
|
|
|
3fa14a |
The issue can be reproduced by creating a variable with a large value and
|
|
|
3fa14a |
then try to set a new value that is much smaller:
|
|
|
3fa14a |
|
|
|
3fa14a |
$ grub2-editenv --version
|
|
|
3fa14a |
grub2-editenv (GRUB) 2.04
|
|
|
3fa14a |
|
|
|
3fa14a |
$ grub2-editenv env create
|
|
|
3fa14a |
|
|
|
3fa14a |
$ grub2-editenv env set a="$(for i in {1..500}; do var="b$var"; done; echo $var)"
|
|
|
3fa14a |
|
|
|
3fa14a |
$ wc -c env
|
|
|
3fa14a |
1024 grubenv
|
|
|
3fa14a |
|
|
|
3fa14a |
$ grub2-editenv env set a="$(for i in {1..50}; do var="b$var"; done; echo $var)"
|
|
|
3fa14a |
malloc(): corrupted top size
|
|
|
3fa14a |
Aborted (core dumped)
|
|
|
3fa14a |
|
|
|
3fa14a |
$ wc -c env
|
|
|
3fa14a |
0 grubenv
|
|
|
3fa14a |
|
|
|
3fa14a |
Resolves: rhbz#1836196
|
|
|
3fa14a |
|
|
|
3fa14a |
Reported-by: Renaud Métrich <rmetrich@redhat.com>
|
|
|
3fa14a |
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
|
|
3fa14a |
Patch-cc: Daniel Kiper <daniel.kiper@oracle.com>
|
|
|
3fa14a |
---
|
|
|
3fa14a |
grub-core/lib/envblk.c | 2 +-
|
|
|
3fa14a |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
3fa14a |
|
|
|
3fa14a |
diff --git a/grub-core/lib/envblk.c b/grub-core/lib/envblk.c
|
|
|
3fa14a |
index 230e0e9d9ab..2e4e78b132d 100644
|
|
|
3fa14a |
--- a/grub-core/lib/envblk.c
|
|
|
3fa14a |
+++ b/grub-core/lib/envblk.c
|
|
|
3fa14a |
@@ -143,7 +143,7 @@ grub_envblk_set (grub_envblk_t envblk, const char *name, const char *value)
|
|
|
3fa14a |
/* Move the following characters backward, and fill the new
|
|
|
3fa14a |
space with harmless characters. */
|
|
|
3fa14a |
grub_memmove (p + vl, p + len, pend - (p + len));
|
|
|
3fa14a |
- grub_memset (space + len - vl, '#', len - vl);
|
|
|
3fa14a |
+ grub_memset (space - (len - vl), '#', len - vl);
|
|
|
3fa14a |
}
|
|
|
3fa14a |
else
|
|
|
3fa14a |
/* Move the following characters forward. */
|