From d5339007d0ffdaf6e8a4e9702e7cec447b118804 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 14 Jul 2015 16:58:51 -0700 Subject: [PATCH 149/229] Fix race in EFI validation --- grub-core/loader/i386/efi/linux.c | 44 ++++++++++----------------------------- 1 file changed, 11 insertions(+), 33 deletions(-) diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c index e5b778577f9..7ccf32d9d45 100644 --- a/grub-core/loader/i386/efi/linux.c +++ b/grub-core/loader/i386/efi/linux.c @@ -154,7 +154,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), grub_file_t file = 0; struct linux_kernel_header lh; grub_ssize_t len, start, filelen; - void *kernel; + void *kernel = NULL; grub_dl_ref (my_mod); @@ -191,10 +191,6 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), goto fail; } - grub_file_seek (file, 0); - - grub_free(kernel); - params = grub_efi_allocate_pages_max (0x3fffffff, BYTES_TO_PAGES(16384)); if (! params) @@ -203,15 +199,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), goto fail; } - memset (params, 0, 16384); + grub_memset (params, 0, 16384); - if (grub_file_read (file, &lh, sizeof (lh)) != sizeof (lh)) - { - if (!grub_errno) - grub_error (GRUB_ERR_BAD_OS, N_("premature end of file %s"), - argv[0]); - goto fail; - } + grub_memcpy (&lh, kernel, sizeof (lh)); if (lh.boot_flag != grub_cpu_to_le16 (0xaa55)) { @@ -271,27 +261,12 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), goto fail; } - if (grub_file_seek (file, start) == (grub_off_t) -1) - { - grub_error (GRUB_ERR_BAD_OS, N_("premature end of file %s"), - argv[0]); - goto fail; - } + grub_memcpy (kernel_mem, (char *)kernel + start, len); + grub_loader_set (grub_linuxefi_boot, grub_linuxefi_unload, 0); + loaded=1; - if (grub_file_read (file, kernel_mem, len) != len && !grub_errno) - { - grub_error (GRUB_ERR_BAD_OS, N_("premature end of file %s"), - argv[0]); - } - - if (grub_errno == GRUB_ERR_NONE) - { - grub_loader_set (grub_linuxefi_boot, grub_linuxefi_unload, 0); - loaded = 1; - lh.code32_start = (grub_uint32_t)(grub_uint64_t) kernel_mem; - } - - memcpy(params, &lh, 2 * 512); + lh.code32_start = (grub_uint32_t)(grub_uint64_t) kernel_mem; + grub_memcpy (params, &lh, 2 * 512); params->type_of_loader = 0x21; @@ -300,6 +275,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), if (file) grub_file_close (file); + if (kernel) + grub_free (kernel); + if (grub_errno != GRUB_ERR_NONE) { grub_dl_unref (my_mod); -- 2.15.0