From 107dc9a693991e6bdd7ee9244d813d01483f9a9c Mon Sep 17 00:00:00 2001 From: Javier Martinez Canillas Date: Tue, 12 May 2020 20:16:59 +0200 Subject: [PATCH] Fix a segfault in grub2-editenv when attempting to shrink a variable Signed-off-by: Javier Martinez Canillas --- ...r-overrun-when-attempting-to-shrink-.patch | 60 +++++++++++++++++++ grub.patches | 1 + grub2.spec | 5 +- 3 files changed, 65 insertions(+), 1 deletion(-) create mode 100644 0213-envblk-Fix-buffer-overrun-when-attempting-to-shrink-.patch diff --git a/0213-envblk-Fix-buffer-overrun-when-attempting-to-shrink-.patch b/0213-envblk-Fix-buffer-overrun-when-attempting-to-shrink-.patch new file mode 100644 index 0000000..09d378f --- /dev/null +++ b/0213-envblk-Fix-buffer-overrun-when-attempting-to-shrink-.patch @@ -0,0 +1,60 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Tue, 12 May 2020 01:00:51 +0200 +Subject: [PATCH] envblk: Fix buffer overrun when attempting to shrink a + variable value +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If an existing variable is set with a value whose length is smaller than +the current value, a memory corruption can happen due copying padding '#' +characters outside of the environment block buffer. + +This is caused by a wrong calculation of the previous free space position +after moving backward the characters that followed the old variable value. + +That position is calculated to fill the remaining of the buffer with the +padding '#' characters. But since isn't calculated correctly, it can lead +to copies outside of the buffer. + +The issue can be reproduced by creating a variable with a large value and +then try to set a new value that is much smaller: + +$ grub2-editenv --version +grub2-editenv (GRUB) 2.04 + +$ grub2-editenv env create + +$ grub2-editenv env set a="$(for i in {1..500}; do var="b$var"; done; echo $var)" + +$ wc -c env +1024 grubenv + +$ grub2-editenv env set a="$(for i in {1..50}; do var="b$var"; done; echo $var)" +malloc(): corrupted top size +Aborted (core dumped) + +$ wc -c env +0 grubenv + +Reported-by: Renaud Métrich +Signed-off-by: Javier Martinez Canillas +Patch-cc: Daniel Kiper +--- + grub-core/lib/envblk.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/grub-core/lib/envblk.c b/grub-core/lib/envblk.c +index f89d86d4e8d..874506da169 100644 +--- a/grub-core/lib/envblk.c ++++ b/grub-core/lib/envblk.c +@@ -143,7 +143,7 @@ grub_envblk_set (grub_envblk_t envblk, const char *name, const char *value) + /* Move the following characters backward, and fill the new + space with harmless characters. */ + grub_memmove (p + vl, p + len, pend - (p + len)); +- grub_memset (space + len - vl, '#', len - vl); ++ grub_memset (space - (len - vl), '#', len - vl); + } + else + /* Move the following characters forward. */ diff --git a/grub.patches b/grub.patches index 2b922dd..ba6c8ec 100644 --- a/grub.patches +++ b/grub.patches @@ -210,3 +210,4 @@ Patch0209: 0209-10_linux.in-Enable-BLS-configuration-if-new-kernel-p.patch Patch0210: 0210-efi-Set-image-base-address-before-jumping-to-the-PE-.patch Patch0211: 0211-blscfg-Lookup-default_kernelopts-variable-as-fallbac.patch Patch0212: 0212-10_linux.in-fix-early-exit-due-error-when-reading-pe.patch +Patch0213: 0213-envblk-Fix-buffer-overrun-when-attempting-to-shrink-.patch diff --git a/grub2.spec b/grub2.spec index fe9f2f4..201cbba 100644 --- a/grub2.spec +++ b/grub2.spec @@ -9,7 +9,7 @@ Name: grub2 Epoch: 1 Version: 2.04 -Release: 15%{?dist} +Release: 16%{?dist} Summary: Bootloader with support for Linux, Multiboot and more License: GPLv3+ URL: http://www.gnu.org/software/grub/ @@ -504,6 +504,9 @@ rm -r /boot/grub2.tmp/ || : %endif %changelog +* Tue May 12 2020 Javier Martinez Canillas - 2.04-16 +- Fix a segfault in grub2-editenv when attempting to shrink a variable + * Thu Apr 30 2020 Javier Martinez Canillas - 2.04-15 - blscfg: Lookup default_kernelopts variable as fallback for options Related: rhbz#1765297