Blame SOURCES/0432-commands-menuentry-Fix-quoting-in-setparams_prefix.patch

9723a8
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
9723a8
From: Daniel Axtens <dja@axtens.net>
9723a8
Date: Fri, 22 Jan 2021 17:10:48 +1100
9723a8
Subject: [PATCH] commands/menuentry: Fix quoting in setparams_prefix()
9723a8
9723a8
Commit 9acdcbf32542 (use single quotes in menuentry setparams command)
9723a8
says that expressing a quoted single quote will require 3 characters. It
9723a8
actually requires (and always did require!) 4 characters:
9723a8
9723a8
  str: a'b => a'\''b
9723a8
  len:  3  => 6 (2 for the letters + 4 for the quote)
9723a8
9723a8
This leads to not allocating enough memory and thus out of bounds writes
9723a8
that have been observed to cause heap corruption.
9723a8
9723a8
Allocate 4 bytes for each single quote.
9723a8
9723a8
Commit 22e7dbb2bb81 (Fix quoting in legacy parser.) does the same
9723a8
quoting, but it adds 3 as extra overhead on top of the single byte that
9723a8
the quote already needs. So it's correct.
9723a8
9723a8
Fixes: CVE-2021-20233
9723a8
Fixes: 9acdcbf32542 (use single quotes in menuentry setparams command)
9723a8
9723a8
Signed-off-by: Daniel Axtens <dja@axtens.net>
9723a8
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
9723a8
---
9723a8
 grub-core/commands/menuentry.c | 2 +-
9723a8
 1 file changed, 1 insertion(+), 1 deletion(-)
9723a8
9723a8
diff --git a/grub-core/commands/menuentry.c b/grub-core/commands/menuentry.c
9723a8
index 4b5fcf2ce9a..7a533b9741b 100644
9723a8
--- a/grub-core/commands/menuentry.c
9723a8
+++ b/grub-core/commands/menuentry.c
9723a8
@@ -239,7 +239,7 @@ setparams_prefix (int argc, char **args)
9723a8
       len += 3; /* 3 = 1 space + 2 quotes */
9723a8
       p = args[i];
9723a8
       while (*p)
9723a8
-	len += (*p++ == '\'' ? 3 : 1);
9723a8
+	len += (*p++ == '\'' ? 4 : 1);
9723a8
     }
9723a8
 
9723a8
   result = grub_malloc (len + 2);