From fbea00c276c195e27501a33d36f148aa55d6d390 Mon Sep 17 00:00:00 2001 From: Javier Martinez Canillas Date: Tue, 12 May 2020 01:00:51 +0200 Subject: [PATCH 203/237] envblk: Fix buffer overrun when attempting to shrink a variable value MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If an existing variable is set with a value whose length is smaller than the current value, a memory corruption can happen due copying padding '#' characters outside of the environment block buffer. This is caused by a wrong calculation of the previous free space position after moving backward the characters that followed the old variable value. That position is calculated to fill the remaining of the buffer with the padding '#' characters. But since isn't calculated correctly, it can lead to copies outside of the buffer. The issue can be reproduced by creating a variable with a large value and then try to set a new value that is much smaller: $ grub2-editenv --version grub2-editenv (GRUB) 2.04 $ grub2-editenv env create $ grub2-editenv env set a="$(for i in {1..500}; do var="b$var"; done; echo $var)" $ wc -c env 1024 grubenv $ grub2-editenv env set a="$(for i in {1..50}; do var="b$var"; done; echo $var)" malloc(): corrupted top size Aborted (core dumped) $ wc -c env 0 grubenv Reported-by: Renaud Métrich Signed-off-by: Javier Martinez Canillas Patch-cc: Daniel Kiper --- grub-core/lib/envblk.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/grub-core/lib/envblk.c b/grub-core/lib/envblk.c index f89d86d4e8d..874506da169 100644 --- a/grub-core/lib/envblk.c +++ b/grub-core/lib/envblk.c @@ -143,7 +143,7 @@ grub_envblk_set (grub_envblk_t envblk, const char *name, const char *value) /* Move the following characters backward, and fill the new space with harmless characters. */ grub_memmove (p + vl, p + len, pend - (p + len)); - grub_memset (space + len - vl, '#', len - vl); + grub_memset (space - (len - vl), '#', len - vl); } else /* Move the following characters forward. */ -- 2.26.2