Blame SOURCES/0430-lib-arg-Block-repeated-short-options-that-require-an.patch

468bd4
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
468bd4
From: Daniel Axtens <dja@axtens.net>
468bd4
Date: Fri, 22 Jan 2021 16:07:29 +1100
468bd4
Subject: [PATCH] lib/arg: Block repeated short options that require an
468bd4
 argument
468bd4
468bd4
Fuzzing found the following crash:
468bd4
468bd4
  search -hhhhhhhhhhhhhf
468bd4
468bd4
We didn't allocate enough option space for 13 hints because the
468bd4
allocation code counts the number of discrete arguments (i.e. argc).
468bd4
However, the shortopt parsing code will happily keep processing
468bd4
a combination of short options without checking if those short
468bd4
options require an argument. This means you can easily end writing
468bd4
past the allocated option space.
468bd4
468bd4
This fixes a OOB write which can cause heap corruption.
468bd4
468bd4
Fixes: CVE-2021-20225
468bd4
468bd4
Signed-off-by: Daniel Axtens <dja@axtens.net>
468bd4
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
468bd4
---
468bd4
 grub-core/lib/arg.c | 13 +++++++++++++
468bd4
 1 file changed, 13 insertions(+)
468bd4
468bd4
diff --git a/grub-core/lib/arg.c b/grub-core/lib/arg.c
f6e916
index 3288609a5..537c5e94b 100644
468bd4
--- a/grub-core/lib/arg.c
468bd4
+++ b/grub-core/lib/arg.c
468bd4
@@ -299,6 +299,19 @@ grub_arg_parse (grub_extcmd_t cmd, int argc, char **argv,
468bd4
 		 it can have an argument value.  */
468bd4
 	      if (*curshort)
468bd4
 		{
468bd4
+		  /*
468bd4
+		   * Only permit further short opts if this one doesn't
468bd4
+		   * require a value.
468bd4
+		   */
468bd4
+		  if (opt->type != ARG_TYPE_NONE &&
468bd4
+		      !(opt->flags & GRUB_ARG_OPTION_OPTIONAL))
468bd4
+		    {
468bd4
+		      grub_error (GRUB_ERR_BAD_ARGUMENT,
468bd4
+				  N_("missing mandatory option for `%s'"),
468bd4
+				  opt->longarg);
468bd4
+		      goto fail;
468bd4
+		    }
468bd4
+
468bd4
 		  if (parse_option (cmd, opt, 0, usr) || grub_errno)
468bd4
 		    goto fail;
468bd4
 		}