|
|
5975ab |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
a4d572 |
From: Colin Watson <cjwatson@debian.org>
|
|
|
a4d572 |
Date: Sat, 25 Jul 2020 12:15:37 +0100
|
|
|
5975ab |
Subject: [PATCH] linux: Fix integer overflows in initrd size handling
|
|
|
a4d572 |
|
|
|
a4d572 |
These could be triggered by a crafted filesystem with very large files.
|
|
|
a4d572 |
|
|
|
a4d572 |
Fixes: CVE-2020-15707
|
|
|
a4d572 |
|
|
|
a4d572 |
Signed-off-by: Colin Watson <cjwatson@debian.org>
|
|
|
a4d572 |
Reviewed-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
|
|
|
a4d572 |
---
|
|
|
5975ab |
grub-core/loader/linux.c | 74 +++++++++++++++++++++++++++++++++++-------------
|
|
|
a4d572 |
1 file changed, 54 insertions(+), 20 deletions(-)
|
|
|
a4d572 |
|
|
|
a4d572 |
diff --git a/grub-core/loader/linux.c b/grub-core/loader/linux.c
|
|
|
f6e916 |
index 61a2e144d..0953f6d32 100644
|
|
|
a4d572 |
--- a/grub-core/loader/linux.c
|
|
|
a4d572 |
+++ b/grub-core/loader/linux.c
|
|
|
a4d572 |
@@ -5,6 +5,7 @@
|
|
|
a4d572 |
#include <grub/file.h>
|
|
|
a4d572 |
#include <grub/mm.h>
|
|
|
a4d572 |
#include <grub/tpm.h>
|
|
|
a4d572 |
+#include <grub/safemath.h>
|
|
|
a4d572 |
|
|
|
a4d572 |
struct newc_head
|
|
|
a4d572 |
{
|
|
|
a4d572 |
@@ -99,13 +100,13 @@ free_dir (struct dir *root)
|
|
|
a4d572 |
grub_free (root);
|
|
|
a4d572 |
}
|
|
|
a4d572 |
|
|
|
a4d572 |
-static grub_size_t
|
|
|
a4d572 |
+static grub_err_t
|
|
|
a4d572 |
insert_dir (const char *name, struct dir **root,
|
|
|
a4d572 |
- grub_uint8_t *ptr)
|
|
|
a4d572 |
+ grub_uint8_t *ptr, grub_size_t *size)
|
|
|
a4d572 |
{
|
|
|
a4d572 |
struct dir *cur, **head = root;
|
|
|
a4d572 |
const char *cb, *ce = name;
|
|
|
a4d572 |
- grub_size_t size = 0;
|
|
|
a4d572 |
+ *size = 0;
|
|
|
a4d572 |
while (1)
|
|
|
a4d572 |
{
|
|
|
a4d572 |
for (cb = ce; *cb == '/'; cb++);
|
|
|
a4d572 |
@@ -131,14 +132,22 @@ insert_dir (const char *name, struct dir **root,
|
|
|
a4d572 |
ptr = make_header (ptr, name, ce - name,
|
|
|
a4d572 |
040777, 0);
|
|
|
a4d572 |
}
|
|
|
a4d572 |
- size += ALIGN_UP ((ce - (char *) name)
|
|
|
a4d572 |
- + sizeof (struct newc_head), 4);
|
|
|
a4d572 |
+ if (grub_add (*size,
|
|
|
a4d572 |
+ ALIGN_UP ((ce - (char *) name)
|
|
|
a4d572 |
+ + sizeof (struct newc_head), 4),
|
|
|
a4d572 |
+ size))
|
|
|
a4d572 |
+ {
|
|
|
a4d572 |
+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
|
|
|
a4d572 |
+ grub_free (n->name);
|
|
|
a4d572 |
+ grub_free (n);
|
|
|
a4d572 |
+ return grub_errno;
|
|
|
a4d572 |
+ }
|
|
|
a4d572 |
*head = n;
|
|
|
a4d572 |
cur = n;
|
|
|
a4d572 |
}
|
|
|
a4d572 |
root = &cur->next;
|
|
|
a4d572 |
}
|
|
|
a4d572 |
- return size;
|
|
|
a4d572 |
+ return GRUB_ERR_NONE;
|
|
|
a4d572 |
}
|
|
|
a4d572 |
|
|
|
a4d572 |
grub_err_t
|
|
|
a4d572 |
@@ -175,26 +184,33 @@ grub_initrd_init (int argc, char *argv[],
|
|
|
a4d572 |
if (eptr)
|
|
|
a4d572 |
{
|
|
|
a4d572 |
grub_file_filter_disable_compression ();
|
|
|
a4d572 |
+ grub_size_t dir_size, name_len;
|
|
|
a4d572 |
+
|
|
|
a4d572 |
initrd_ctx->components[i].newc_name = grub_strndup (ptr, eptr - ptr);
|
|
|
a4d572 |
- if (!initrd_ctx->components[i].newc_name)
|
|
|
a4d572 |
+ if (!initrd_ctx->components[i].newc_name ||
|
|
|
a4d572 |
+ insert_dir (initrd_ctx->components[i].newc_name, &root, 0,
|
|
|
a4d572 |
+ &dir_size))
|
|
|
a4d572 |
{
|
|
|
a4d572 |
grub_initrd_close (initrd_ctx);
|
|
|
a4d572 |
return grub_errno;
|
|
|
a4d572 |
}
|
|
|
a4d572 |
- initrd_ctx->size
|
|
|
a4d572 |
- += ALIGN_UP (sizeof (struct newc_head)
|
|
|
a4d572 |
- + grub_strlen (initrd_ctx->components[i].newc_name),
|
|
|
a4d572 |
- 4);
|
|
|
a4d572 |
- initrd_ctx->size += insert_dir (initrd_ctx->components[i].newc_name,
|
|
|
a4d572 |
- &root, 0);
|
|
|
a4d572 |
+ name_len = grub_strlen (initrd_ctx->components[i].newc_name);
|
|
|
a4d572 |
+ if (grub_add (initrd_ctx->size,
|
|
|
a4d572 |
+ ALIGN_UP (sizeof (struct newc_head) + name_len, 4),
|
|
|
a4d572 |
+ &initrd_ctx->size) ||
|
|
|
a4d572 |
+ grub_add (initrd_ctx->size, dir_size, &initrd_ctx->size))
|
|
|
a4d572 |
+ goto overflow;
|
|
|
a4d572 |
newc = 1;
|
|
|
a4d572 |
fname = eptr + 1;
|
|
|
a4d572 |
}
|
|
|
a4d572 |
}
|
|
|
a4d572 |
else if (newc)
|
|
|
a4d572 |
{
|
|
|
a4d572 |
- initrd_ctx->size += ALIGN_UP (sizeof (struct newc_head)
|
|
|
a4d572 |
- + sizeof ("TRAILER!!!") - 1, 4);
|
|
|
a4d572 |
+ if (grub_add (initrd_ctx->size,
|
|
|
a4d572 |
+ ALIGN_UP (sizeof (struct newc_head)
|
|
|
a4d572 |
+ + sizeof ("TRAILER!!!") - 1, 4),
|
|
|
a4d572 |
+ &initrd_ctx->size))
|
|
|
a4d572 |
+ goto overflow;
|
|
|
a4d572 |
free_dir (root);
|
|
|
a4d572 |
root = 0;
|
|
|
a4d572 |
newc = 0;
|
|
|
a4d572 |
@@ -209,19 +225,29 @@ grub_initrd_init (int argc, char *argv[],
|
|
|
a4d572 |
initrd_ctx->nfiles++;
|
|
|
a4d572 |
initrd_ctx->components[i].size
|
|
|
a4d572 |
= grub_file_size (initrd_ctx->components[i].file);
|
|
|
a4d572 |
- initrd_ctx->size += initrd_ctx->components[i].size;
|
|
|
a4d572 |
+ if (grub_add (initrd_ctx->size, initrd_ctx->components[i].size,
|
|
|
a4d572 |
+ &initrd_ctx->size))
|
|
|
a4d572 |
+ goto overflow;
|
|
|
a4d572 |
}
|
|
|
a4d572 |
|
|
|
a4d572 |
if (newc)
|
|
|
a4d572 |
{
|
|
|
a4d572 |
initrd_ctx->size = ALIGN_UP (initrd_ctx->size, 4);
|
|
|
a4d572 |
- initrd_ctx->size += ALIGN_UP (sizeof (struct newc_head)
|
|
|
a4d572 |
- + sizeof ("TRAILER!!!") - 1, 4);
|
|
|
a4d572 |
+ if (grub_add (initrd_ctx->size,
|
|
|
a4d572 |
+ ALIGN_UP (sizeof (struct newc_head)
|
|
|
a4d572 |
+ + sizeof ("TRAILER!!!") - 1, 4),
|
|
|
a4d572 |
+ &initrd_ctx->size))
|
|
|
a4d572 |
+ goto overflow;
|
|
|
a4d572 |
free_dir (root);
|
|
|
a4d572 |
root = 0;
|
|
|
a4d572 |
}
|
|
|
a4d572 |
|
|
|
a4d572 |
return GRUB_ERR_NONE;
|
|
|
a4d572 |
+
|
|
|
a4d572 |
+overflow:
|
|
|
a4d572 |
+ free_dir (root);
|
|
|
a4d572 |
+ grub_initrd_close (initrd_ctx);
|
|
|
a4d572 |
+ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
|
|
|
a4d572 |
}
|
|
|
a4d572 |
|
|
|
a4d572 |
grub_size_t
|
|
|
a4d572 |
@@ -262,8 +288,16 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx,
|
|
|
a4d572 |
|
|
|
a4d572 |
if (initrd_ctx->components[i].newc_name)
|
|
|
a4d572 |
{
|
|
|
a4d572 |
- ptr += insert_dir (initrd_ctx->components[i].newc_name,
|
|
|
a4d572 |
- &root, ptr);
|
|
|
a4d572 |
+ grub_size_t dir_size;
|
|
|
a4d572 |
+
|
|
|
a4d572 |
+ if (insert_dir (initrd_ctx->components[i].newc_name, &root, ptr,
|
|
|
a4d572 |
+ &dir_size))
|
|
|
a4d572 |
+ {
|
|
|
a4d572 |
+ free_dir (root);
|
|
|
a4d572 |
+ grub_initrd_close (initrd_ctx);
|
|
|
a4d572 |
+ return grub_errno;
|
|
|
a4d572 |
+ }
|
|
|
a4d572 |
+ ptr += dir_size;
|
|
|
a4d572 |
ptr = make_header (ptr, initrd_ctx->components[i].newc_name,
|
|
|
a4d572 |
grub_strlen (initrd_ctx->components[i].newc_name),
|
|
|
a4d572 |
0100777,
|