|
|
468bd4 |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
468bd4 |
From: Daniel Axtens <dja@axtens.net>
|
|
|
468bd4 |
Date: Fri, 22 Jan 2021 16:07:29 +1100
|
|
|
468bd4 |
Subject: [PATCH] lib/arg: Block repeated short options that require an
|
|
|
468bd4 |
argument
|
|
|
468bd4 |
|
|
|
468bd4 |
Fuzzing found the following crash:
|
|
|
468bd4 |
|
|
|
468bd4 |
search -hhhhhhhhhhhhhf
|
|
|
468bd4 |
|
|
|
468bd4 |
We didn't allocate enough option space for 13 hints because the
|
|
|
468bd4 |
allocation code counts the number of discrete arguments (i.e. argc).
|
|
|
468bd4 |
However, the shortopt parsing code will happily keep processing
|
|
|
468bd4 |
a combination of short options without checking if those short
|
|
|
468bd4 |
options require an argument. This means you can easily end writing
|
|
|
468bd4 |
past the allocated option space.
|
|
|
468bd4 |
|
|
|
468bd4 |
This fixes a OOB write which can cause heap corruption.
|
|
|
468bd4 |
|
|
|
468bd4 |
Fixes: CVE-2021-20225
|
|
|
468bd4 |
|
|
|
468bd4 |
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
|
|
468bd4 |
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
|
468bd4 |
---
|
|
|
468bd4 |
grub-core/lib/arg.c | 13 +++++++++++++
|
|
|
468bd4 |
1 file changed, 13 insertions(+)
|
|
|
468bd4 |
|
|
|
468bd4 |
diff --git a/grub-core/lib/arg.c b/grub-core/lib/arg.c
|
|
|
468bd4 |
index 3288609a5e1..537c5e94b83 100644
|
|
|
468bd4 |
--- a/grub-core/lib/arg.c
|
|
|
468bd4 |
+++ b/grub-core/lib/arg.c
|
|
|
468bd4 |
@@ -299,6 +299,19 @@ grub_arg_parse (grub_extcmd_t cmd, int argc, char **argv,
|
|
|
468bd4 |
it can have an argument value. */
|
|
|
468bd4 |
if (*curshort)
|
|
|
468bd4 |
{
|
|
|
468bd4 |
+ /*
|
|
|
468bd4 |
+ * Only permit further short opts if this one doesn't
|
|
|
468bd4 |
+ * require a value.
|
|
|
468bd4 |
+ */
|
|
|
468bd4 |
+ if (opt->type != ARG_TYPE_NONE &&
|
|
|
468bd4 |
+ !(opt->flags & GRUB_ARG_OPTION_OPTIONAL))
|
|
|
468bd4 |
+ {
|
|
|
468bd4 |
+ grub_error (GRUB_ERR_BAD_ARGUMENT,
|
|
|
468bd4 |
+ N_("missing mandatory option for `%s'"),
|
|
|
468bd4 |
+ opt->longarg);
|
|
|
468bd4 |
+ goto fail;
|
|
|
468bd4 |
+ }
|
|
|
468bd4 |
+
|
|
|
468bd4 |
if (parse_option (cmd, opt, 0, usr) || grub_errno)
|
|
|
468bd4 |
goto fail;
|
|
|
468bd4 |
}
|