Blame SOURCES/0392-kern-efi-mm-Fix-possible-NULL-pointer-dereference.patch

468bd4
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
468bd4
From: Darren Kenny <darren.kenny@oracle.com>
468bd4
Date: Fri, 11 Dec 2020 15:03:13 +0000
468bd4
Subject: [PATCH] kern/efi/mm: Fix possible NULL pointer dereference
468bd4
468bd4
The model of grub_efi_get_memory_map() is that if memory_map is NULL,
468bd4
then the purpose is to discover how much memory should be allocated to
468bd4
it for the subsequent call.
468bd4
468bd4
The problem here is that with grub_efi_is_finished set to 1, there is no
468bd4
check at all that the function is being called with a non-NULL memory_map.
468bd4
468bd4
While this MAY be true, we shouldn't assume it.
468bd4
468bd4
The solution to this is to behave as expected, and if memory_map is NULL,
468bd4
then don't try to use it and allow memory_map_size to be filled in, and
468bd4
return 0 as is done later in the code if the buffer is too small (or NULL).
468bd4
468bd4
Additionally, drop unneeded ret = 1.
468bd4
468bd4
Fixes: CID 96632
468bd4
468bd4
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
468bd4
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
468bd4
---
468bd4
 grub-core/kern/efi/mm.c | 23 ++++++++++++++++-------
468bd4
 1 file changed, 16 insertions(+), 7 deletions(-)
468bd4
468bd4
diff --git a/grub-core/kern/efi/mm.c b/grub-core/kern/efi/mm.c
f6e916
index 306924f73..2d9c9032b 100644
468bd4
--- a/grub-core/kern/efi/mm.c
468bd4
+++ b/grub-core/kern/efi/mm.c
468bd4
@@ -372,16 +372,25 @@ grub_efi_get_memory_map (grub_efi_uintn_t *memory_map_size,
468bd4
   if (grub_efi_is_finished)
468bd4
     {
468bd4
       int ret = 1;
468bd4
-      if (*memory_map_size < finish_mmap_size)
468bd4
+
468bd4
+      if (memory_map != NULL)
468bd4
 	{
468bd4
-	  grub_memcpy (memory_map, finish_mmap_buf, *memory_map_size);
468bd4
+	  if (*memory_map_size < finish_mmap_size)
468bd4
+	    {
468bd4
+	      grub_memcpy (memory_map, finish_mmap_buf, *memory_map_size);
468bd4
+	      ret = 0;
468bd4
+	    }
468bd4
+          else
468bd4
+	    grub_memcpy (memory_map, finish_mmap_buf, finish_mmap_size);
468bd4
+	}
468bd4
+      else
468bd4
+	{
468bd4
+	  /*
468bd4
+	   * Incomplete, no buffer to copy into, same as
468bd4
+	   * GRUB_EFI_BUFFER_TOO_SMALL below.
468bd4
+	   */
468bd4
 	  ret = 0;
468bd4
 	}
468bd4
-      else
468bd4
-	{
468bd4
-	  grub_memcpy (memory_map, finish_mmap_buf, finish_mmap_size);
468bd4
-	  ret = 1;
468bd4
-	}
468bd4
       *memory_map_size = finish_mmap_size;
468bd4
       if (map_key)
468bd4
 	*map_key = finish_key;