nalika / rpms / grub2

Forked from rpms/grub2 2 years ago
Clone

Blame SOURCES/0375-lib-arg-Block-repeated-short-options-that-require-an.patch

9723a8
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
9723a8
From: Daniel Axtens <dja@axtens.net>
9723a8
Date: Fri, 22 Jan 2021 16:07:29 +1100
9723a8
Subject: [PATCH] lib/arg: Block repeated short options that require an
9723a8
 argument
9723a8
9723a8
Fuzzing found the following crash:
9723a8
9723a8
  search -hhhhhhhhhhhhhf
9723a8
9723a8
We didn't allocate enough option space for 13 hints because the
9723a8
allocation code counts the number of discrete arguments (i.e. argc).
9723a8
However, the shortopt parsing code will happily keep processing
9723a8
a combination of short options without checking if those short
9723a8
options require an argument. This means you can easily end writing
9723a8
past the allocated option space.
9723a8
9723a8
This fixes a OOB write which can cause heap corruption.
9723a8
9723a8
Fixes: CVE-2021-20225
9723a8
9723a8
Signed-off-by: Daniel Axtens <dja@axtens.net>
9723a8
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
9723a8
---
9723a8
 grub-core/lib/arg.c | 13 +++++++++++++
9723a8
 1 file changed, 13 insertions(+)
9723a8
9723a8
diff --git a/grub-core/lib/arg.c b/grub-core/lib/arg.c
9723a8
index 3288609a5e1..537c5e94b83 100644
9723a8
--- a/grub-core/lib/arg.c
9723a8
+++ b/grub-core/lib/arg.c
9723a8
@@ -299,6 +299,19 @@ grub_arg_parse (grub_extcmd_t cmd, int argc, char **argv,
9723a8
 		 it can have an argument value.  */
9723a8
 	      if (*curshort)
9723a8
 		{
9723a8
+		  /*
9723a8
+		   * Only permit further short opts if this one doesn't
9723a8
+		   * require a value.
9723a8
+		   */
9723a8
+		  if (opt->type != ARG_TYPE_NONE &&
9723a8
+		      !(opt->flags & GRUB_ARG_OPTION_OPTIONAL))
9723a8
+		    {
9723a8
+		      grub_error (GRUB_ERR_BAD_ARGUMENT,
9723a8
+				  N_("missing mandatory option for `%s'"),
9723a8
+				  opt->longarg);
9723a8
+		      goto fail;
9723a8
+		    }
9723a8
+
9723a8
 		  if (parse_option (cmd, opt, 0, usr) || grub_errno)
9723a8
 		    goto fail;
9723a8
 		}