Blame SOURCES/0355-kern-efi-mm-Fix-possible-NULL-pointer-dereference.patch

b1bcb2
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
b1bcb2
From: Darren Kenny <darren.kenny@oracle.com>
b1bcb2
Date: Fri, 11 Dec 2020 15:03:13 +0000
b1bcb2
Subject: [PATCH] kern/efi/mm: Fix possible NULL pointer dereference
b1bcb2
b1bcb2
The model of grub_efi_get_memory_map() is that if memory_map is NULL,
b1bcb2
then the purpose is to discover how much memory should be allocated to
b1bcb2
it for the subsequent call.
b1bcb2
b1bcb2
The problem here is that with grub_efi_is_finished set to 1, there is no
b1bcb2
check at all that the function is being called with a non-NULL memory_map.
b1bcb2
b1bcb2
While this MAY be true, we shouldn't assume it.
b1bcb2
b1bcb2
The solution to this is to behave as expected, and if memory_map is NULL,
b1bcb2
then don't try to use it and allow memory_map_size to be filled in, and
b1bcb2
return 0 as is done later in the code if the buffer is too small (or NULL).
b1bcb2
b1bcb2
Additionally, drop unneeded ret = 1.
b1bcb2
b1bcb2
Fixes: CID 96632
b1bcb2
b1bcb2
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
b1bcb2
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
b1bcb2
---
b1bcb2
 grub-core/kern/efi/mm.c | 23 ++++++++++++++++-------
b1bcb2
 1 file changed, 16 insertions(+), 7 deletions(-)
b1bcb2
b1bcb2
diff --git a/grub-core/kern/efi/mm.c b/grub-core/kern/efi/mm.c
b1bcb2
index abe9c70557f..bb022f43e91 100644
b1bcb2
--- a/grub-core/kern/efi/mm.c
b1bcb2
+++ b/grub-core/kern/efi/mm.c
b1bcb2
@@ -334,16 +334,25 @@ grub_efi_get_memory_map (grub_efi_uintn_t *memory_map_size,
b1bcb2
   if (grub_efi_is_finished)
b1bcb2
     {
b1bcb2
       int ret = 1;
b1bcb2
-      if (*memory_map_size < finish_mmap_size)
b1bcb2
+
b1bcb2
+      if (memory_map != NULL)
b1bcb2
 	{
b1bcb2
-	  grub_memcpy (memory_map, finish_mmap_buf, *memory_map_size);
b1bcb2
+	  if (*memory_map_size < finish_mmap_size)
b1bcb2
+	    {
b1bcb2
+	      grub_memcpy (memory_map, finish_mmap_buf, *memory_map_size);
b1bcb2
+	      ret = 0;
b1bcb2
+	    }
b1bcb2
+          else
b1bcb2
+	    grub_memcpy (memory_map, finish_mmap_buf, finish_mmap_size);
b1bcb2
+	}
b1bcb2
+      else
b1bcb2
+	{
b1bcb2
+	  /*
b1bcb2
+	   * Incomplete, no buffer to copy into, same as
b1bcb2
+	   * GRUB_EFI_BUFFER_TOO_SMALL below.
b1bcb2
+	   */
b1bcb2
 	  ret = 0;
b1bcb2
 	}
b1bcb2
-      else
b1bcb2
-	{
b1bcb2
-	  grub_memcpy (memory_map, finish_mmap_buf, finish_mmap_size);
b1bcb2
-	  ret = 1;
b1bcb2
-	}
b1bcb2
       *memory_map_size = finish_mmap_size;
b1bcb2
       if (map_key)
b1bcb2
 	*map_key = finish_key;