Blame SOURCES/0309-efi-ip-46-_config.c-fix-some-potential-allocation-ov.patch

80913e
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
80913e
From: Peter Jones <pjones@redhat.com>
80913e
Date: Sun, 19 Jul 2020 17:27:00 -0400
80913e
Subject: [PATCH] efi/ip[46]_config.c: fix some potential allocation overflows
80913e
80913e
In theory all of this data comes from the firmware stack and it should
80913e
be safe, but it's better to be paranoid.
80913e
80913e
Signed-off-by: Peter Jones <pjones@redhat.com>
80913e
---
80913e
 grub-core/net/efi/ip4_config.c | 25 ++++++++++++++++++-------
80913e
 grub-core/net/efi/ip6_config.c | 13 ++++++++++---
80913e
 2 files changed, 28 insertions(+), 10 deletions(-)
80913e
80913e
diff --git a/grub-core/net/efi/ip4_config.c b/grub-core/net/efi/ip4_config.c
80913e
index 6117e60ab12..5ea5ed03925 100644
80913e
--- a/grub-core/net/efi/ip4_config.c
80913e
+++ b/grub-core/net/efi/ip4_config.c
80913e
@@ -4,15 +4,20 @@
80913e
 #include <grub/misc.h>
80913e
 #include <grub/net/efi.h>
80913e
 #include <grub/charset.h>
80913e
+#include <grub/safemath.h>
80913e
 
80913e
 char *
80913e
 grub_efi_hw_address_to_string (grub_efi_uint32_t hw_address_size, grub_efi_mac_address_t hw_address)
80913e
 {
80913e
   char *hw_addr, *p;
80913e
-  int sz, s;
80913e
-  int i;
80913e
+  grub_size_t sz, s, i;
80913e
 
80913e
-  sz = (int)hw_address_size * (sizeof ("XX:") - 1) + 1;
80913e
+  if (grub_mul (hw_address_size, sizeof ("XX:") - 1, &sz) ||
80913e
+      grub_add (sz, 1, &sz))
80913e
+    {
80913e
+      grub_errno = GRUB_ERR_OUT_OF_RANGE;
80913e
+      return NULL;
80913e
+    }
80913e
 
80913e
   hw_addr = grub_malloc (sz);
80913e
   if (!hw_addr)
80913e
@@ -20,7 +25,7 @@ grub_efi_hw_address_to_string (grub_efi_uint32_t hw_address_size, grub_efi_mac_a
80913e
 
80913e
   p = hw_addr;
80913e
   s = sz;
80913e
-  for (i = 0; i < (int)hw_address_size; i++)
80913e
+  for (i = 0; i < hw_address_size; i++)
80913e
     {
80913e
       grub_snprintf (p, sz, "%02x:", hw_address[i]);
80913e
       p +=  sizeof ("XX:") - 1;
80913e
@@ -238,14 +243,20 @@ grub_efi_ip4_interface_route_table (struct grub_efi_net_device *dev)
80913e
 {
80913e
   grub_efi_ip4_config2_interface_info_t *interface_info;
80913e
   char **ret;
80913e
-  int i, id;
80913e
+  int id;
80913e
+  grub_size_t i, nmemb;
80913e
 
80913e
   interface_info = efi_ip4_config_interface_info (dev->ip4_config);
80913e
   if (!interface_info)
80913e
     return NULL;
80913e
 
80913e
-  ret = grub_malloc (sizeof (*ret) * (interface_info->route_table_size + 1));
80913e
+  if (grub_add (interface_info->route_table_size, 1, &nmemb))
80913e
+    {
80913e
+      grub_errno = GRUB_ERR_OUT_OF_RANGE;
80913e
+      return NULL;
80913e
+    }
80913e
 
80913e
+  ret = grub_calloc (nmemb, sizeof (*ret));
80913e
   if (!ret)
80913e
     {
80913e
       grub_free (interface_info);
80913e
@@ -253,7 +264,7 @@ grub_efi_ip4_interface_route_table (struct grub_efi_net_device *dev)
80913e
     }
80913e
 
80913e
   id = 0;
80913e
-  for (i = 0; i < (int)interface_info->route_table_size; i++)
80913e
+  for (i = 0; i < interface_info->route_table_size; i++)
80913e
     {
80913e
       char *subnet, *gateway, *mask;
80913e
       grub_uint32_t u32_subnet, u32_gateway;
80913e
diff --git a/grub-core/net/efi/ip6_config.c b/grub-core/net/efi/ip6_config.c
80913e
index e0e00c23d21..1c5415d7185 100644
80913e
--- a/grub-core/net/efi/ip6_config.c
80913e
+++ b/grub-core/net/efi/ip6_config.c
80913e
@@ -3,6 +3,7 @@
80913e
 #include <grub/misc.h>
80913e
 #include <grub/net/efi.h>
80913e
 #include <grub/charset.h>
80913e
+#include <grub/safemath.h>
80913e
 
80913e
 char *
80913e
 grub_efi_ip6_address_to_string (grub_efi_pxe_ipv6_address_t *address)
80913e
@@ -228,14 +229,20 @@ grub_efi_ip6_interface_route_table (struct grub_efi_net_device *dev)
80913e
 {
80913e
   grub_efi_ip6_config_interface_info_t *interface_info;
80913e
   char **ret;
80913e
-  int i, id;
80913e
+  int id;
80913e
+  grub_size_t i, nmemb;
80913e
 
80913e
   interface_info = efi_ip6_config_interface_info (dev->ip6_config);
80913e
   if (!interface_info)
80913e
     return NULL;
80913e
 
80913e
-  ret = grub_malloc (sizeof (*ret) * (interface_info->route_count + 1));
80913e
+  if (grub_add (interface_info->route_count, 1, &nmemb))
80913e
+    {
80913e
+      grub_errno = GRUB_ERR_OUT_OF_RANGE;
80913e
+      return NULL;
80913e
+    }
80913e
 
80913e
+  ret = grub_calloc (nmemb, sizeof (*ret));
80913e
   if (!ret)
80913e
     {
80913e
       grub_free (interface_info);
80913e
@@ -243,7 +250,7 @@ grub_efi_ip6_interface_route_table (struct grub_efi_net_device *dev)
80913e
     }
80913e
 
80913e
   id = 0;
80913e
-  for (i = 0; i < (int)interface_info->route_count ; i++)
80913e
+  for (i = 0; i < interface_info->route_count ; i++)
80913e
     {
80913e
       char *gateway, *destination;
80913e
       grub_uint64_t u64_gateway[2];