rpms / grub2

Clone
Source Code
GIT

Blame SOURCES/0392-kern-efi-mm-Fix-possible-NULL-pointer-dereference.patch

c4 c5 c5-plus c6 c6-plus c7 c7-aarch64 c7-alt c7-beta c7-i686 c8 c8-beta c8s c9 c9-beta
  1.   80913e16b82b8bcbd1ae5b4710366c03b142020c
  2.   SOURCES
  3.   0392-kern-efi-mm-Fix-possible-NULL-pointer-dereference.patch
Blob History Raw
80913e 
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
80913e 
From: Darren Kenny <darren.kenny@oracle.com>
80913e 
Date: Fri, 11 Dec 2020 15:03:13 +0000
80913e 
Subject: [PATCH] kern/efi/mm: Fix possible NULL pointer dereference
80913e
80913e 
The model of grub_efi_get_memory_map() is that if memory_map is NULL,
80913e 
then the purpose is to discover how much memory should be allocated to
80913e 
it for the subsequent call.
80913e
80913e 
The problem here is that with grub_efi_is_finished set to 1, there is no
80913e 
check at all that the function is being called with a non-NULL memory_map.
80913e
80913e 
While this MAY be true, we shouldn't assume it.
80913e
80913e 
The solution to this is to behave as expected, and if memory_map is NULL,
80913e 
then don't try to use it and allow memory_map_size to be filled in, and
80913e 
return 0 as is done later in the code if the buffer is too small (or NULL).
80913e
80913e 
Additionally, drop unneeded ret = 1.
80913e
80913e 
Fixes: CID 96632
80913e
80913e 
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
80913e 
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
80913e 
---
80913e 
 grub-core/kern/efi/mm.c | 23 ++++++++++++++++-------
80913e 
 1 file changed, 16 insertions(+), 7 deletions(-)
80913e
80913e 
diff --git a/grub-core/kern/efi/mm.c b/grub-core/kern/efi/mm.c
80913e 
index 306924f73a4..2d9c9032b2a 100644
80913e 
--- a/grub-core/kern/efi/mm.c
80913e 
+++ b/grub-core/kern/efi/mm.c
80913e 
@@ -372,16 +372,25 @@ grub_efi_get_memory_map (grub_efi_uintn_t *memory_map_size,
80913e 
   if (grub_efi_is_finished)
80913e 
     {
80913e 
       int ret = 1;
80913e 
-      if (*memory_map_size < finish_mmap_size)
80913e 
+
80913e 
+      if (memory_map != NULL)
80913e 
 	{
80913e 
-	  grub_memcpy (memory_map, finish_mmap_buf, *memory_map_size);
80913e 
+	  if (*memory_map_size < finish_mmap_size)
80913e 
+	    {
80913e 
+	      grub_memcpy (memory_map, finish_mmap_buf, *memory_map_size);
80913e 
+	      ret = 0;
80913e 
+	    }
80913e 
+          else
80913e 
+	    grub_memcpy (memory_map, finish_mmap_buf, finish_mmap_size);
80913e 
+	}
80913e 
+      else
80913e 
+	{
80913e 
+	  /*
80913e 
+	   * Incomplete, no buffer to copy into, same as
80913e 
+	   * GRUB_EFI_BUFFER_TOO_SMALL below.
80913e 
+	   */
80913e 
 	  ret = 0;
80913e 
 	}
80913e 
-      else
80913e 
-	{
80913e 
-	  grub_memcpy (memory_map, finish_mmap_buf, finish_mmap_size);
80913e 
-	  ret = 1;
80913e 
-	}
80913e 
       *memory_map_size = finish_mmap_size;
80913e 
       if (map_key)
80913e 
 	*map_key = finish_key;

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation