nalika / rpms / grub2

Forked from rpms/grub2 2 years ago
Clone

Blame SOURCES/0329-efi-ip-46-_config.c-fix-some-potential-allocation-ov.patch

b1bcb2
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
c4e390
From: Peter Jones <pjones@redhat.com>
c4e390
Date: Sun, 19 Jul 2020 17:27:00 -0400
b1bcb2
Subject: [PATCH] efi/ip[46]_config.c: fix some potential allocation overflows
c4e390
c4e390
In theory all of this data comes from the firmware stack and it should
c4e390
be safe, but it's better to be paranoid.
c4e390
c4e390
Signed-off-by: Peter Jones <pjones@redhat.com>
c4e390
---
c4e390
 grub-core/net/efi/ip4_config.c | 28 ++++++++++++++++++++--------
c4e390
 grub-core/net/efi/ip6_config.c | 13 ++++++++++---
c4e390
 2 files changed, 30 insertions(+), 11 deletions(-)
c4e390
c4e390
diff --git a/grub-core/net/efi/ip4_config.c b/grub-core/net/efi/ip4_config.c
c4e390
index 313c818b184..0f729b47cbd 100644
c4e390
--- a/grub-core/net/efi/ip4_config.c
c4e390
+++ b/grub-core/net/efi/ip4_config.c
c4e390
@@ -4,15 +4,20 @@
c4e390
 #include <grub/misc.h>
c4e390
 #include <grub/net/efi.h>
c4e390
 #include <grub/charset.h>
c4e390
+#include <grub/safemath.h>
c4e390
 
c4e390
 char *
c4e390
 grub_efi_hw_address_to_string (grub_efi_uint32_t hw_address_size, grub_efi_mac_address_t hw_address)
c4e390
 {
c4e390
   char *hw_addr, *p;
c4e390
-  int sz, s;
c4e390
-  int i;
c4e390
+  grub_size_t sz, s, i;
c4e390
 
c4e390
-  sz = (int)hw_address_size * (sizeof ("XX:") - 1) + 1;
c4e390
+  if (grub_mul (hw_address_size, sizeof ("XX:") - 1, &sz) ||
c4e390
+      grub_add (sz, 1, &sz))
c4e390
+    {
c4e390
+      grub_errno = GRUB_ERR_OUT_OF_RANGE;
c4e390
+      return NULL;
c4e390
+    }
c4e390
 
c4e390
   hw_addr = grub_malloc (sz);
c4e390
   if (!hw_addr)
c4e390
@@ -20,7 +25,7 @@ grub_efi_hw_address_to_string (grub_efi_uint32_t hw_address_size, grub_efi_mac_a
c4e390
 
c4e390
   p = hw_addr;
c4e390
   s = sz;
c4e390
-  for (i = 0; i < (int)hw_address_size; i++)
c4e390
+  for (i = 0; i < hw_address_size; i++)
c4e390
     {
c4e390
       grub_snprintf (p, sz, "%02x:", hw_address[i]);
c4e390
       p +=  sizeof ("XX:") - 1;
c4e390
@@ -56,7 +61,8 @@ int
c4e390
 grub_efi_string_to_ip4_address (const char *val, grub_efi_ipv4_address_t *address, const char **rest)
c4e390
 {
c4e390
   grub_uint32_t newip = 0;
c4e390
-  int i, ncolon = 0;
c4e390
+  grub_size_t i;
c4e390
+  int ncolon = 0;
c4e390
   const char *ptr = val;
c4e390
 
c4e390
   /* Check that is not an IPv6 address */
c4e390
@@ -238,14 +244,20 @@ grub_efi_ip4_interface_route_table (struct grub_efi_net_device *dev)
c4e390
 {
c4e390
   grub_efi_ip4_config2_interface_info_t *interface_info;
c4e390
   char **ret;
c4e390
-  int i, id;
c4e390
+  int id;
c4e390
+  grub_size_t i, nmemb;
c4e390
 
c4e390
   interface_info = efi_ip4_config_interface_info (dev->ip4_config);
c4e390
   if (!interface_info)
c4e390
     return NULL;
c4e390
 
c4e390
-  ret = grub_malloc (sizeof (*ret) * (interface_info->route_table_size + 1));
c4e390
+  if (grub_add (interface_info->route_table_size, 1, &nmemb))
c4e390
+    {
c4e390
+      grub_errno = GRUB_ERR_OUT_OF_RANGE;
c4e390
+      return NULL;
c4e390
+    }
c4e390
 
c4e390
+  ret = grub_calloc (nmemb, sizeof (*ret));
c4e390
   if (!ret)
c4e390
     {
c4e390
       grub_free (interface_info);
c4e390
@@ -253,7 +265,7 @@ grub_efi_ip4_interface_route_table (struct grub_efi_net_device *dev)
c4e390
     }
c4e390
 
c4e390
   id = 0;
c4e390
-  for (i = 0; i < (int)interface_info->route_table_size; i++)
c4e390
+  for (i = 0; i < interface_info->route_table_size; i++)
c4e390
     {
c4e390
       char *subnet, *gateway, *mask;
c4e390
       grub_uint32_t u32_subnet, u32_gateway;
c4e390
diff --git a/grub-core/net/efi/ip6_config.c b/grub-core/net/efi/ip6_config.c
c4e390
index 017c4d05bc7..a46f6f9b685 100644
c4e390
--- a/grub-core/net/efi/ip6_config.c
c4e390
+++ b/grub-core/net/efi/ip6_config.c
c4e390
@@ -3,6 +3,7 @@
c4e390
 #include <grub/misc.h>
c4e390
 #include <grub/net/efi.h>
c4e390
 #include <grub/charset.h>
c4e390
+#include <grub/safemath.h>
c4e390
 
c4e390
 char *
c4e390
 grub_efi_ip6_address_to_string (grub_efi_pxe_ipv6_address_t *address)
c4e390
@@ -228,14 +229,20 @@ grub_efi_ip6_interface_route_table (struct grub_efi_net_device *dev)
c4e390
 {
c4e390
   grub_efi_ip6_config_interface_info_t *interface_info;
c4e390
   char **ret;
c4e390
-  int i, id;
c4e390
+  int id;
c4e390
+  grub_size_t i, nmemb;
c4e390
 
c4e390
   interface_info = efi_ip6_config_interface_info (dev->ip6_config);
c4e390
   if (!interface_info)
c4e390
     return NULL;
c4e390
 
c4e390
-  ret = grub_malloc (sizeof (*ret) * (interface_info->route_count + 1));
c4e390
+  if (grub_add (interface_info->route_count, 1, &nmemb))
c4e390
+    {
c4e390
+      grub_errno = GRUB_ERR_OUT_OF_RANGE;
c4e390
+      return NULL;
c4e390
+    }
c4e390
 
c4e390
+  ret = grub_calloc (nmemb, sizeof (*ret));
c4e390
   if (!ret)
c4e390
     {
c4e390
       grub_free (interface_info);
c4e390
@@ -243,7 +250,7 @@ grub_efi_ip6_interface_route_table (struct grub_efi_net_device *dev)
c4e390
     }
c4e390
 
c4e390
   id = 0;
c4e390
-  for (i = 0; i < (int)interface_info->route_count ; i++)
c4e390
+  for (i = 0; i < interface_info->route_count ; i++)
c4e390
     {
c4e390
       char *gateway, *destination;
c4e390
       grub_uint64_t u64_gateway[2];