2020-08-10 20:01:43 +00:00
|
|
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
2020-07-29 17:39:24 +00:00
|
|
|
From: Colin Watson <cjwatson@debian.org>
|
|
|
|
Date: Fri, 24 Jul 2020 17:18:09 +0100
|
2020-08-10 20:01:43 +00:00
|
|
|
Subject: [PATCH] efilinux: Fix integer overflows in grub_cmd_initrd
|
2020-07-29 17:39:24 +00:00
|
|
|
|
|
|
|
These could be triggered by an extremely large number of arguments to
|
|
|
|
the initrd command on 32-bit architectures, or a crafted filesystem with
|
|
|
|
very large files on any architecture.
|
|
|
|
|
|
|
|
Signed-off-by: Colin Watson <cjwatson@debian.org>
|
|
|
|
---
|
|
|
|
grub-core/loader/i386/efi/linux.c | 9 +++++++--
|
|
|
|
1 file changed, 7 insertions(+), 2 deletions(-)
|
|
|
|
|
|
|
|
diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
|
|
|
|
index 65d1b5cc034..2bd6663625d 100644
|
|
|
|
--- a/grub-core/loader/i386/efi/linux.c
|
|
|
|
+++ b/grub-core/loader/i386/efi/linux.c
|
|
|
|
@@ -29,6 +29,7 @@
|
|
|
|
#include <grub/efi/linux.h>
|
|
|
|
#include <grub/tpm.h>
|
|
|
|
#include <grub/cpu/efi/memory.h>
|
|
|
|
+#include <grub/safemath.h>
|
|
|
|
|
|
|
|
GRUB_MOD_LICENSE ("GPLv3+");
|
|
|
|
|
|
|
|
@@ -207,7 +208,7 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
|
|
|
|
- files = grub_zalloc (argc * sizeof (files[0]));
|
|
|
|
+ files = grub_calloc (argc, sizeof (files[0]));
|
|
|
|
if (!files)
|
|
|
|
goto fail;
|
|
|
|
|
|
|
|
@@ -218,7 +219,11 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),
|
|
|
|
if (! files[i])
|
|
|
|
goto fail;
|
|
|
|
nfiles++;
|
|
|
|
- size += ALIGN_UP (grub_file_size (files[i]), 4);
|
|
|
|
+ if (grub_add (size, ALIGN_UP (grub_file_size (files[i]), 4), &size))
|
|
|
|
+ {
|
|
|
|
+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
|
|
|
|
+ goto fail;
|
|
|
|
+ }
|
|
|
|
}
|
|
|
|
|
|
|
|
initrd_mem = kernel_alloc(size, N_("can't allocate initrd"));
|