Blame SOURCES/0392-kern-efi-mm-Fix-possible-NULL-pointer-dereference.patch

9723a8
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
9723a8
From: Darren Kenny <darren.kenny@oracle.com>
9723a8
Date: Fri, 11 Dec 2020 15:03:13 +0000
9723a8
Subject: [PATCH] kern/efi/mm: Fix possible NULL pointer dereference
9723a8
9723a8
The model of grub_efi_get_memory_map() is that if memory_map is NULL,
9723a8
then the purpose is to discover how much memory should be allocated to
9723a8
it for the subsequent call.
9723a8
9723a8
The problem here is that with grub_efi_is_finished set to 1, there is no
9723a8
check at all that the function is being called with a non-NULL memory_map.
9723a8
9723a8
While this MAY be true, we shouldn't assume it.
9723a8
9723a8
The solution to this is to behave as expected, and if memory_map is NULL,
9723a8
then don't try to use it and allow memory_map_size to be filled in, and
9723a8
return 0 as is done later in the code if the buffer is too small (or NULL).
9723a8
9723a8
Additionally, drop unneeded ret = 1.
9723a8
9723a8
Fixes: CID 96632
9723a8
9723a8
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
9723a8
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
9723a8
---
9723a8
 grub-core/kern/efi/mm.c | 23 ++++++++++++++++-------
9723a8
 1 file changed, 16 insertions(+), 7 deletions(-)
9723a8
9723a8
diff --git a/grub-core/kern/efi/mm.c b/grub-core/kern/efi/mm.c
9723a8
index 306924f73a4..2d9c9032b2a 100644
9723a8
--- a/grub-core/kern/efi/mm.c
9723a8
+++ b/grub-core/kern/efi/mm.c
9723a8
@@ -372,16 +372,25 @@ grub_efi_get_memory_map (grub_efi_uintn_t *memory_map_size,
9723a8
   if (grub_efi_is_finished)
9723a8
     {
9723a8
       int ret = 1;
9723a8
-      if (*memory_map_size < finish_mmap_size)
9723a8
+
9723a8
+      if (memory_map != NULL)
9723a8
 	{
9723a8
-	  grub_memcpy (memory_map, finish_mmap_buf, *memory_map_size);
9723a8
+	  if (*memory_map_size < finish_mmap_size)
9723a8
+	    {
9723a8
+	      grub_memcpy (memory_map, finish_mmap_buf, *memory_map_size);
9723a8
+	      ret = 0;
9723a8
+	    }
9723a8
+          else
9723a8
+	    grub_memcpy (memory_map, finish_mmap_buf, finish_mmap_size);
9723a8
+	}
9723a8
+      else
9723a8
+	{
9723a8
+	  /*
9723a8
+	   * Incomplete, no buffer to copy into, same as
9723a8
+	   * GRUB_EFI_BUFFER_TOO_SMALL below.
9723a8
+	   */
9723a8
 	  ret = 0;
9723a8
 	}
9723a8
-      else
9723a8
-	{
9723a8
-	  grub_memcpy (memory_map, finish_mmap_buf, finish_mmap_size);
9723a8
-	  ret = 1;
9723a8
-	}
9723a8
       *memory_map_size = finish_mmap_size;
9723a8
       if (map_key)
9723a8
 	*map_key = finish_key;