Blame SOURCES/0159-efilinux-Fix-integer-overflows-in-grub_cmd_initrd.patch

5593c8
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
5593c8
From: Colin Watson <cjwatson@debian.org>
5593c8
Date: Fri, 24 Jul 2020 17:18:09 +0100
5593c8
Subject: [PATCH] efilinux: Fix integer overflows in grub_cmd_initrd
5593c8
5593c8
These could be triggered by an extremely large number of arguments to
5593c8
the initrd command on 32-bit architectures, or a crafted filesystem with
5593c8
very large files on any architecture.
5593c8
5593c8
Signed-off-by: Colin Watson <cjwatson@debian.org>
5593c8
---
5593c8
 grub-core/loader/i386/efi/linux.c | 10 ++++++++--
5593c8
 1 file changed, 8 insertions(+), 2 deletions(-)
5593c8
5593c8
diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
1c6ba0
index 15d40d6e35..f992ceeef2 100644
5593c8
--- a/grub-core/loader/i386/efi/linux.c
5593c8
+++ b/grub-core/loader/i386/efi/linux.c
5593c8
@@ -28,6 +28,8 @@
5593c8
 #include <grub/efi/efi.h>
5593c8
 #include <grub/efi/linux.h>
5593c8
 #include <grub/cpu/efi/memory.h>
5593c8
+#include <grub/tpm.h>
5593c8
+#include <grub/safemath.h>
5593c8
 
5593c8
 GRUB_MOD_LICENSE ("GPLv3+");
5593c8
 
5593c8
@@ -206,7 +208,7 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),
5593c8
       goto fail;
5593c8
     }
5593c8
 
5593c8
-  files = grub_zalloc (argc * sizeof (files[0]));
5593c8
+  files = grub_calloc (argc, sizeof (files[0]));
5593c8
   if (!files)
5593c8
     goto fail;
5593c8
 
5593c8
@@ -216,7 +218,11 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),
5593c8
       if (! files[i])
5593c8
         goto fail;
5593c8
       nfiles++;
5593c8
-      size += ALIGN_UP (grub_file_size (files[i]), 4);
5593c8
+      if (grub_add (size, ALIGN_UP (grub_file_size (files[i]), 4), &size))
5593c8
+	{
5593c8
+	  grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
5593c8
+	  goto fail;
5593c8
+	}
5593c8
     }
5593c8
 
5593c8
   initrd_mem = kernel_alloc(size, N_("can't allocate initrd"));