Blame SOURCES/0309-efi-ip-46-_config.c-fix-some-potential-allocation-ov.patch

5975ab
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
a4d572
From: Peter Jones <pjones@redhat.com>
a4d572
Date: Sun, 19 Jul 2020 17:27:00 -0400
5975ab
Subject: [PATCH] efi/ip[46]_config.c: fix some potential allocation overflows
a4d572
a4d572
In theory all of this data comes from the firmware stack and it should
a4d572
be safe, but it's better to be paranoid.
a4d572
a4d572
Signed-off-by: Peter Jones <pjones@redhat.com>
a4d572
---
a4d572
 grub-core/net/efi/ip4_config.c | 25 ++++++++++++++++++-------
a4d572
 grub-core/net/efi/ip6_config.c | 13 ++++++++++---
a4d572
 2 files changed, 28 insertions(+), 10 deletions(-)
a4d572
a4d572
diff --git a/grub-core/net/efi/ip4_config.c b/grub-core/net/efi/ip4_config.c
09e3cc
index 6117e60ab..5ea5ed039 100644
a4d572
--- a/grub-core/net/efi/ip4_config.c
a4d572
+++ b/grub-core/net/efi/ip4_config.c
a4d572
@@ -4,15 +4,20 @@
a4d572
 #include <grub/misc.h>
a4d572
 #include <grub/net/efi.h>
a4d572
 #include <grub/charset.h>
a4d572
+#include <grub/safemath.h>
a4d572
 
a4d572
 char *
a4d572
 grub_efi_hw_address_to_string (grub_efi_uint32_t hw_address_size, grub_efi_mac_address_t hw_address)
a4d572
 {
a4d572
   char *hw_addr, *p;
a4d572
-  int sz, s;
a4d572
-  int i;
a4d572
+  grub_size_t sz, s, i;
a4d572
 
a4d572
-  sz = (int)hw_address_size * (sizeof ("XX:") - 1) + 1;
a4d572
+  if (grub_mul (hw_address_size, sizeof ("XX:") - 1, &sz) ||
a4d572
+      grub_add (sz, 1, &sz))
a4d572
+    {
a4d572
+      grub_errno = GRUB_ERR_OUT_OF_RANGE;
a4d572
+      return NULL;
a4d572
+    }
a4d572
 
a4d572
   hw_addr = grub_malloc (sz);
a4d572
   if (!hw_addr)
a4d572
@@ -20,7 +25,7 @@ grub_efi_hw_address_to_string (grub_efi_uint32_t hw_address_size, grub_efi_mac_a
a4d572
 
a4d572
   p = hw_addr;
a4d572
   s = sz;
a4d572
-  for (i = 0; i < (int)hw_address_size; i++)
a4d572
+  for (i = 0; i < hw_address_size; i++)
a4d572
     {
a4d572
       grub_snprintf (p, sz, "%02x:", hw_address[i]);
a4d572
       p +=  sizeof ("XX:") - 1;
a4d572
@@ -238,14 +243,20 @@ grub_efi_ip4_interface_route_table (struct grub_efi_net_device *dev)
a4d572
 {
a4d572
   grub_efi_ip4_config2_interface_info_t *interface_info;
a4d572
   char **ret;
a4d572
-  int i, id;
a4d572
+  int id;
a4d572
+  grub_size_t i, nmemb;
a4d572
 
a4d572
   interface_info = efi_ip4_config_interface_info (dev->ip4_config);
a4d572
   if (!interface_info)
a4d572
     return NULL;
a4d572
 
a4d572
-  ret = grub_malloc (sizeof (*ret) * (interface_info->route_table_size + 1));
a4d572
+  if (grub_add (interface_info->route_table_size, 1, &nmemb))
a4d572
+    {
a4d572
+      grub_errno = GRUB_ERR_OUT_OF_RANGE;
a4d572
+      return NULL;
a4d572
+    }
a4d572
 
a4d572
+  ret = grub_calloc (nmemb, sizeof (*ret));
a4d572
   if (!ret)
a4d572
     {
a4d572
       grub_free (interface_info);
a4d572
@@ -253,7 +264,7 @@ grub_efi_ip4_interface_route_table (struct grub_efi_net_device *dev)
a4d572
     }
a4d572
 
a4d572
   id = 0;
a4d572
-  for (i = 0; i < (int)interface_info->route_table_size; i++)
a4d572
+  for (i = 0; i < interface_info->route_table_size; i++)
a4d572
     {
a4d572
       char *subnet, *gateway, *mask;
a4d572
       grub_uint32_t u32_subnet, u32_gateway;
a4d572
diff --git a/grub-core/net/efi/ip6_config.c b/grub-core/net/efi/ip6_config.c
09e3cc
index e0e00c23d..1c5415d71 100644
a4d572
--- a/grub-core/net/efi/ip6_config.c
a4d572
+++ b/grub-core/net/efi/ip6_config.c
a4d572
@@ -3,6 +3,7 @@
a4d572
 #include <grub/misc.h>
a4d572
 #include <grub/net/efi.h>
a4d572
 #include <grub/charset.h>
a4d572
+#include <grub/safemath.h>
a4d572
 
a4d572
 char *
a4d572
 grub_efi_ip6_address_to_string (grub_efi_pxe_ipv6_address_t *address)
a4d572
@@ -228,14 +229,20 @@ grub_efi_ip6_interface_route_table (struct grub_efi_net_device *dev)
a4d572
 {
a4d572
   grub_efi_ip6_config_interface_info_t *interface_info;
a4d572
   char **ret;
a4d572
-  int i, id;
a4d572
+  int id;
a4d572
+  grub_size_t i, nmemb;
a4d572
 
a4d572
   interface_info = efi_ip6_config_interface_info (dev->ip6_config);
a4d572
   if (!interface_info)
a4d572
     return NULL;
a4d572
 
a4d572
-  ret = grub_malloc (sizeof (*ret) * (interface_info->route_count + 1));
a4d572
+  if (grub_add (interface_info->route_count, 1, &nmemb))
a4d572
+    {
a4d572
+      grub_errno = GRUB_ERR_OUT_OF_RANGE;
a4d572
+      return NULL;
a4d572
+    }
a4d572
 
a4d572
+  ret = grub_calloc (nmemb, sizeof (*ret));
a4d572
   if (!ret)
a4d572
     {
a4d572
       grub_free (interface_info);
a4d572
@@ -243,7 +250,7 @@ grub_efi_ip6_interface_route_table (struct grub_efi_net_device *dev)
a4d572
     }
a4d572
 
a4d572
   id = 0;
a4d572
-  for (i = 0; i < (int)interface_info->route_count ; i++)
a4d572
+  for (i = 0; i < interface_info->route_count ; i++)
a4d572
     {
a4d572
       char *gateway, *destination;
a4d572
       grub_uint64_t u64_gateway[2];