diff --git a/0203-envblk-Fix-buffer-overrun-when-attempting-to-shrink-.patch b/0203-envblk-Fix-buffer-overrun-when-attempting-to-shrink-.patch new file mode 100644 index 0000000..09d378f --- /dev/null +++ b/0203-envblk-Fix-buffer-overrun-when-attempting-to-shrink-.patch @@ -0,0 +1,60 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Tue, 12 May 2020 01:00:51 +0200 +Subject: [PATCH] envblk: Fix buffer overrun when attempting to shrink a + variable value +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If an existing variable is set with a value whose length is smaller than +the current value, a memory corruption can happen due copying padding '#' +characters outside of the environment block buffer. + +This is caused by a wrong calculation of the previous free space position +after moving backward the characters that followed the old variable value. + +That position is calculated to fill the remaining of the buffer with the +padding '#' characters. But since isn't calculated correctly, it can lead +to copies outside of the buffer. + +The issue can be reproduced by creating a variable with a large value and +then try to set a new value that is much smaller: + +$ grub2-editenv --version +grub2-editenv (GRUB) 2.04 + +$ grub2-editenv env create + +$ grub2-editenv env set a="$(for i in {1..500}; do var="b$var"; done; echo $var)" + +$ wc -c env +1024 grubenv + +$ grub2-editenv env set a="$(for i in {1..50}; do var="b$var"; done; echo $var)" +malloc(): corrupted top size +Aborted (core dumped) + +$ wc -c env +0 grubenv + +Reported-by: Renaud Métrich +Signed-off-by: Javier Martinez Canillas +Patch-cc: Daniel Kiper +--- + grub-core/lib/envblk.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/grub-core/lib/envblk.c b/grub-core/lib/envblk.c +index f89d86d4e8d..874506da169 100644 +--- a/grub-core/lib/envblk.c ++++ b/grub-core/lib/envblk.c +@@ -143,7 +143,7 @@ grub_envblk_set (grub_envblk_t envblk, const char *name, const char *value) + /* Move the following characters backward, and fill the new + space with harmless characters. */ + grub_memmove (p + vl, p + len, pend - (p + len)); +- grub_memset (space + len - vl, '#', len - vl); ++ grub_memset (space - (len - vl), '#', len - vl); + } + else + /* Move the following characters forward. */ diff --git a/grub.patches b/grub.patches index 9292d46..02c0a52 100644 --- a/grub.patches +++ b/grub.patches @@ -200,3 +200,4 @@ Patch0199: 0199-grub-switch-to-blscfg-Update-grub2-binary-in-ESP-for.patch Patch0200: 0200-grub-switch-to-blscfg-Only-mark-GRUB-as-BLS-supporte.patch Patch0201: 0201-grub-switch-to-blscfg-Use-install-to-copy-GRUB-binar.patch Patch0202: 0202-10_linux.in-Enable-BLS-configuration-if-new-kernel-p.patch +Patch0203: 0203-envblk-Fix-buffer-overrun-when-attempting-to-shrink-.patch diff --git a/grub2.spec b/grub2.spec index 4b0c1f7..3ce46c7 100644 --- a/grub2.spec +++ b/grub2.spec @@ -7,7 +7,7 @@ Name: grub2 Epoch: 1 Version: 2.02 -Release: 108%{?dist} +Release: 109%{?dist} Summary: Bootloader with support for Linux, Multiboot and more License: GPLv3+ URL: http://www.gnu.org/software/grub/ @@ -518,6 +518,9 @@ rm -r /boot/grub2.tmp/ || : %endif %changelog +* Tue May 12 2020 Javier Martinez Canillas - 2.02-109 +- Fix grub2-editenv segfault when attempting to shrink a variable + * Thu Apr 16 2020 Javier Martinez Canillas - 2.02-108 - Make the grub-switch-to-blscfg and 10_linux scripts more robust