vbatts/grub
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

malloc: Use overflow checking primitives where we do complex allocations

Browse source 
This attempts to fix the places where we do the following where
arithmetic_expr may include unvalidated data:

  X = grub_malloc(arithmetic_expr);

It accomplishes this by doing the arithmetic ahead of time using grub_add(),
grub_sub(), grub_mul() and testing for overflow before proceeding.

Among other issues, this fixes:
  - allocation of integer overflow in grub_video_bitmap_create()
    reported by Chris Coulson,
  - allocation of integer overflow in grub_png_decode_image_header()
    reported by Chris Coulson,
  - allocation of integer overflow in grub_squash_read_symlink()
    reported by Chris Coulson,
  - allocation of integer overflow in grub_ext2_read_symlink()
    reported by Chris Coulson,
  - allocation of integer overflow in read_section_as_string()
    reported by Chris Coulson.

Fixes: CVE-2020-14309, CVE-2020-14310, CVE-2020-14311

Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This commit is contained in:
Peter Jones 2020-06-15 12:28:27 -04:00 committed by Daniel Kiper
parent f725fa7cb2
commit 3f05d693d1
23 changed files with 382 additions and 113 deletions
Download patch file Download diff file Expand all files Collapse all files

28
grub-core/fs/btrfs.c
View file

@ -40,6 +40,7 @@
#include <grub/btrfs.h>
#include <grub/crypto.h>
#include <grub/diskfilter.h>
#include <grub/safemath.h>
GRUB_MOD_LICENSE ("GPLv3+");
@ -331,9 +332,13 @@ save_ref (struct grub_btrfs_leaf_descriptor *desc,
if (desc->allocated < desc->depth)
{
void *newdata;
desc->allocated *= 2;
newdata = grub_realloc (desc->data, sizeof (desc->data[0])
* desc->allocated);
grub_size_t sz;
if (grub_mul (desc->allocated, 2, &desc->allocated) ||
grub_mul (desc->allocated, sizeof (desc->data[0]), &sz))
return GRUB_ERR_OUT_OF_RANGE;
newdata = grub_realloc (desc->data, sz);
if (!newdata)
return grub_errno;
desc->data = newdata;
@ -624,16 +629,21 @@ find_device (struct grub_btrfs_data *data, grub_uint64_t id)
if (data->n_devices_attached > data->n_devices_allocated)
{
void *tmp;
data->n_devices_allocated = 2 * data->n_devices_attached + 1;
data->devices_attached
= grub_realloc (tmp = data->devices_attached,
data->n_devices_allocated
* sizeof (data->devices_attached[0]));
grub_size_t sz;
if (grub_mul (data->n_devices_attached, 2, &data->n_devices_allocated) ||
grub_add (data->n_devices_allocated, 1, &data->n_devices_allocated) ||
grub_mul (data->n_devices_allocated, sizeof (data->devices_attached[0]), &sz))
goto fail;
data->devices_attached = grub_realloc (tmp = data->devices_attached, sz);
if (!data->devices_attached)
{
data->devices_attached = tmp;
fail:
if (ctx.dev_found)
grub_device_close (ctx.dev_found);
data->devices_attached = tmp;
return NULL;
}
}

10
grub-core/fs/ext2.c
View file

@ -46,6 +46,7 @@
#include <grub/dl.h>
#include <grub/types.h>
#include <grub/fshelp.h>
#include <grub/safemath.h>
GRUB_MOD_LICENSE ("GPLv3+");
@ -703,6 +704,7 @@ grub_ext2_read_symlink (grub_fshelp_node_t node)
{
char *symlink;
struct grub_fshelp_node *diro = node;
grub_size_t sz;
if (! diro->inode_read)
{
@ -717,7 +719,13 @@ grub_ext2_read_symlink (grub_fshelp_node_t node)
}
}
symlink = grub_malloc (grub_le_to_cpu32 (diro->inode.size) + 1);
if (grub_add (grub_le_to_cpu32 (diro->inode.size), 1, &sz))
{
grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
return NULL;
}
symlink = grub_malloc (sz);
if (! symlink)
return 0;

51
grub-core/fs/iso9660.c
View file

@ -28,6 +28,7 @@
#include <grub/fshelp.h>
#include <grub/charset.h>
#include <grub/datetime.h>
#include <grub/safemath.h>
GRUB_MOD_LICENSE ("GPLv3+");
@ -531,8 +532,13 @@ add_part (struct iterate_dir_ctx *ctx,
int len2)
{
int size = ctx->symlink ? grub_strlen (ctx->symlink) : 0;
grub_size_t sz;
ctx->symlink = grub_realloc (ctx->symlink, size + len2 + 1);
if (grub_add (size, len2, &sz) ||
grub_add (sz, 1, &sz))
return;
ctx->symlink = grub_realloc (ctx->symlink, sz);
if (! ctx->symlink)
return;
@ -560,17 +566,24 @@ susp_iterate_dir (struct grub_iso9660_susp_entry *entry,
{
grub_size_t off = 0, csize = 1;
char *old;
grub_size_t sz;
csize = entry->len - 5;
old = ctx->filename;
if (ctx->filename_alloc)
{
off = grub_strlen (ctx->filename);
ctx->filename = grub_realloc (ctx->filename, csize + off + 1);
if (grub_add (csize, off, &sz) ||
grub_add (sz, 1, &sz))
return GRUB_ERR_OUT_OF_RANGE;
ctx->filename = grub_realloc (ctx->filename, sz);
}
else
{
off = 0;
ctx->filename = grub_zalloc (csize + 1);
if (grub_add (csize, 1, &sz))
return GRUB_ERR_OUT_OF_RANGE;
ctx->filename = grub_zalloc (sz);
}
if (!ctx->filename)
{
@ -776,14 +789,18 @@ grub_iso9660_iterate_dir (grub_fshelp_node_t dir,
if (node->have_dirents >= node->alloc_dirents)
{
struct grub_fshelp_node *new_node;
node->alloc_dirents *= 2;
new_node = grub_realloc (node,
sizeof (struct grub_fshelp_node)
+ ((node->alloc_dirents
- ARRAY_SIZE (node->dirents))
* sizeof (node->dirents[0])));
grub_size_t sz;
if (grub_mul (node->alloc_dirents, 2, &node->alloc_dirents) ||
grub_sub (node->alloc_dirents, ARRAY_SIZE (node->dirents), &sz) ||
grub_mul (sz, sizeof (node->dirents[0]), &sz) ||
grub_add (sz, sizeof (struct grub_fshelp_node), &sz))
goto fail_0;
new_node = grub_realloc (node, sz);
if (!new_node)
{
fail_0:
if (ctx.filename_alloc)
grub_free (ctx.filename);
grub_free (node);
@ -799,14 +816,18 @@ grub_iso9660_iterate_dir (grub_fshelp_node_t dir,
* sizeof (node->dirents[0]) < grub_strlen (ctx.symlink) + 1)
{
struct grub_fshelp_node *new_node;
new_node = grub_realloc (node,
sizeof (struct grub_fshelp_node)
+ ((node->alloc_dirents
- ARRAY_SIZE (node->dirents))
* sizeof (node->dirents[0]))
+ grub_strlen (ctx.symlink) + 1);
grub_size_t sz;
if (grub_sub (node->alloc_dirents, ARRAY_SIZE (node->dirents), &sz) ||
grub_mul (sz, sizeof (node->dirents[0]), &sz) ||
grub_add (sz, sizeof (struct grub_fshelp_node) + 1, &sz) ||
grub_add (sz, grub_strlen (ctx.symlink), &sz))
goto fail_1;
new_node = grub_realloc (node, sz);
if (!new_node)
{
fail_1:
if (ctx.filename_alloc)
grub_free (ctx.filename);
grub_free (node);

27
grub-core/fs/sfs.c
View file

@ -26,6 +26,7 @@
#include <grub/types.h>
#include <grub/fshelp.h>
#include <grub/charset.h>
#include <grub/safemath.h>
GRUB_MOD_LICENSE ("GPLv3+");
@ -307,10 +308,15 @@ grub_sfs_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock)
if (node->cache && node->cache_size >= node->cache_allocated)
{
struct cache_entry *e = node->cache;
e = grub_realloc (node->cache,node->cache_allocated * 2
* sizeof (e[0]));
grub_size_t sz;
if (grub_mul (node->cache_allocated, 2 * sizeof (e[0]), &sz))
goto fail;
e = grub_realloc (node->cache, sz);
if (!e)
{
fail:
grub_errno = 0;
grub_free (node->cache);
node->cache = 0;
@ -477,10 +483,16 @@ grub_sfs_create_node (struct grub_fshelp_node **node,
grub_size_t len = grub_strlen (name);
grub_uint8_t *name_u8;
int ret;
grub_size_t sz;
if (grub_mul (len, GRUB_MAX_UTF8_PER_LATIN1, &sz) ||
grub_add (sz, 1, &sz))
return 1;
*node = grub_malloc (sizeof (**node));
if (!*node)
return 1;
name_u8 = grub_malloc (len * GRUB_MAX_UTF8_PER_LATIN1 + 1);
name_u8 = grub_malloc (sz);
if (!name_u8)
{
grub_free (*node);
@ -724,8 +736,13 @@ grub_sfs_label (grub_device_t device, char **label)
data = grub_sfs_mount (disk);
if (data)
{
grub_size_t len = grub_strlen (data->label);
*label = grub_malloc (len * GRUB_MAX_UTF8_PER_LATIN1 + 1);
grub_size_t sz, len = grub_strlen (data->label);
if (grub_mul (len, GRUB_MAX_UTF8_PER_LATIN1, &sz) ||
grub_add (sz, 1, &sz))
return GRUB_ERR_OUT_OF_RANGE;
*label = grub_malloc (sz);
if (*label)
*grub_latin1_to_utf8 ((grub_uint8_t *) *label,
(const grub_uint8_t *) data->label,

45
grub-core/fs/squash4.c
View file

@ -26,6 +26,7 @@
#include <grub/types.h>
#include <grub/fshelp.h>
#include <grub/deflate.h>
#include <grub/safemath.h>
#include <minilzo.h>
#include "xz.h"
@ -459,7 +460,17 @@ grub_squash_read_symlink (grub_fshelp_node_t node)
{
char *ret;
grub_err_t err;
ret = grub_malloc (grub_le_to_cpu32 (node->ino.symlink.namelen) + 1);
grub_size_t sz;
if (grub_add (grub_le_to_cpu32 (node->ino.symlink.namelen), 1, &sz))
{
grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
return NULL;
}
ret = grub_malloc (sz);
if (!ret)
return NULL;
err = read_chunk (node->data, ret,
grub_le_to_cpu32 (node->ino.symlink.namelen),
@ -506,11 +517,16 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir,
{
grub_fshelp_node_t node;
node = grub_malloc (sizeof (*node) + dir->stsize * sizeof (dir->stack[0]));
grub_size_t sz;
if (grub_mul (dir->stsize, sizeof (dir->stack[0]), &sz) ||
grub_add (sz, sizeof (*node), &sz))
return 0;
node = grub_malloc (sz);
if (!node)
return 0;
grub_memcpy (node, dir,
sizeof (*node) + dir->stsize * sizeof (dir->stack[0]));
grub_memcpy (node, dir, sz);
if (hook (".", GRUB_FSHELP_DIR, node, hook_data))
return 1;
@ -518,12 +534,15 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir,
{
grub_err_t err;
node = grub_malloc (sizeof (*node) + dir->stsize * sizeof (dir->stack[0]));
if (grub_mul (dir->stsize, sizeof (dir->stack[0]), &sz) ||
grub_add (sz, sizeof (*node), &sz))
return 0;
node = grub_malloc (sz);
if (!node)
return 0;
grub_memcpy (node, dir,
sizeof (*node) + dir->stsize * sizeof (dir->stack[0]));
grub_memcpy (node, dir, sz);
node->stsize--;
err = read_chunk (dir->data, &node->ino, sizeof (node->ino),
@ -557,6 +576,7 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir,
enum grub_fshelp_filetype filetype = GRUB_FSHELP_REG;
struct grub_squash_dirent di;
struct grub_squash_inode ino;
grub_size_t sz;
err = read_chunk (dir->data, &di, sizeof (di),
grub_le_to_cpu64 (dir->data->sb.diroffset)
@ -589,13 +609,16 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir,
if (grub_le_to_cpu16 (di.type) == SQUASH_TYPE_SYMLINK)
filetype = GRUB_FSHELP_SYMLINK;
node = grub_malloc (sizeof (*node)
+ (dir->stsize + 1) * sizeof (dir->stack[0]));
if (grub_add (dir->stsize, 1, &sz) ||
grub_mul (sz, sizeof (dir->stack[0]), &sz) ||
grub_add (sz, sizeof (*node), &sz))
return 0;
node = grub_malloc (sz);
if (! node)
return 0;
grub_memcpy (node, dir,
sizeof (*node) + dir->stsize * sizeof (dir->stack[0]));
grub_memcpy (node, dir, sz - sizeof(dir->stack[0]));
node->ino = ino;
node->stack[node->stsize].ino_chunk = grub_le_to_cpu32 (dh.ino_chunk);

41
grub-core/fs/udf.c
View file

@ -28,6 +28,7 @@
#include <grub/charset.h>
#include <grub/datetime.h>
#include <grub/udf.h>
#include <grub/safemath.h>
GRUB_MOD_LICENSE ("GPLv3+");
@ -890,9 +891,19 @@ read_string (const grub_uint8_t *raw, grub_size_t sz, char *outbuf)
utf16[i] = (raw[2 * i + 1] << 8) | raw[2*i + 2];
}
if (!outbuf)
outbuf = grub_malloc (utf16len * GRUB_MAX_UTF8_PER_UTF16 + 1);
{
grub_size_t size;
if (grub_mul (utf16len, GRUB_MAX_UTF8_PER_UTF16, &size) ||
grub_add (size, 1, &size))
goto fail;
outbuf = grub_malloc (size);
}
if (outbuf)
*grub_utf16_to_utf8 ((grub_uint8_t *) outbuf, utf16, utf16len) = '\0';
fail:
grub_free (utf16);
return outbuf;
}
@ -1005,7 +1016,7 @@ grub_udf_read_symlink (grub_fshelp_node_t node)
grub_size_t sz = U64 (node->block.fe.file_size);
grub_uint8_t *raw;
const grub_uint8_t *ptr;
char *out, *optr;
char *out = NULL, *optr;
if (sz < 4)
return NULL;
@ -1013,14 +1024,16 @@ grub_udf_read_symlink (grub_fshelp_node_t node)
if (!raw)
return NULL;
if (grub_udf_read_file (node, NULL, NULL, 0, sz, (char *) raw) < 0)
{
grub_free (raw);
return NULL;
}
goto fail_1;
out = grub_malloc (sz * 2 + 1);
if (grub_mul (sz, 2, &sz) ||
grub_add (sz, 1, &sz))
goto fail_0;
out = grub_malloc (sz);
if (!out)
{
fail_0:
grub_free (raw);
return NULL;
}
@ -1031,17 +1044,17 @@ grub_udf_read_symlink (grub_fshelp_node_t node)
{
grub_size_t s;
if ((grub_size_t) (ptr - raw + 4) > sz)
goto fail;
goto fail_1;
if (!(ptr[2] == 0 && ptr[3] == 0))
goto fail;
goto fail_1;
s = 4 + ptr[1];
if ((grub_size_t) (ptr - raw + s) > sz)
goto fail;
goto fail_1;
switch (*ptr)
{
case 1:
if (ptr[1])
goto fail;
goto fail_1;
/* Fallthrough. */
case 2:
/* in 4 bytes. out: 1 byte. */
@ -1066,11 +1079,11 @@ grub_udf_read_symlink (grub_fshelp_node_t node)
if (optr != out)
*optr++ = '/';
if (!read_string (ptr + 4, s - 4, optr))
goto fail;
goto fail_1;
optr += grub_strlen (optr);
break;
default:
goto fail;
goto fail_1;
}
ptr += s;
}
@ -1078,7 +1091,7 @@ grub_udf_read_symlink (grub_fshelp_node_t node)
grub_free (raw);
return out;
fail:
fail_1:
grub_free (raw);
grub_free (out);
grub_error (GRUB_ERR_BAD_FS, "invalid symlink");

11
grub-core/fs/xfs.c
View file

@ -25,6 +25,7 @@
#include <grub/dl.h>
#include <grub/types.h>
#include <grub/fshelp.h>
#include <grub/safemath.h>
GRUB_MOD_LICENSE ("GPLv3+");
@ -899,6 +900,7 @@ static struct grub_xfs_data *
grub_xfs_mount (grub_disk_t disk)
{
struct grub_xfs_data *data = 0;
grub_size_t sz;
data = grub_zalloc (sizeof (struct grub_xfs_data));
if (!data)
@ -913,10 +915,11 @@ grub_xfs_mount (grub_disk_t disk)
if (!grub_xfs_sb_valid(data))
goto fail;
data = grub_realloc (data,
sizeof (struct grub_xfs_data)
- sizeof (struct grub_xfs_inode)
+ grub_xfs_inode_size(data) + 1);
if (grub_add (grub_xfs_inode_size (data),
sizeof (struct grub_xfs_data) - sizeof (struct grub_xfs_inode) + 1, &sz))
goto fail;
data = grub_realloc (data, sz);
if (! data)
goto fail;

22
grub-core/fs/zfs/zfs.c
View file

@ -55,6 +55,7 @@
#include <grub/deflate.h>
#include <grub/crypto.h>
#include <grub/i18n.h>
#include <grub/safemath.h>
GRUB_MOD_LICENSE ("GPLv3+");
@ -776,11 +777,14 @@ fill_vdev_info (struct grub_zfs_data *data,
if (data->n_devices_attached > data->n_devices_allocated)
{
void *tmp;
data->n_devices_allocated = 2 * data->n_devices_attached + 1;
data->devices_attached
= grub_realloc (tmp = data->devices_attached,
data->n_devices_allocated
* sizeof (data->devices_attached[0]));
grub_size_t sz;
if (grub_mul (data->n_devices_attached, 2, &data->n_devices_allocated) ||
grub_add (data->n_devices_allocated, 1, &data->n_devices_allocated) ||
grub_mul (data->n_devices_allocated, sizeof (data->devices_attached[0]), &sz))
return GRUB_ERR_OUT_OF_RANGE;
data->devices_attached = grub_realloc (tmp = data->devices_attached, sz);
if (!data->devices_attached)
{
data->devices_attached = tmp;
@ -3471,14 +3475,18 @@ grub_zfs_nvlist_lookup_nvlist (const char *nvlist, const char *name)
{
char *nvpair;
char *ret;
grub_size_t size;
grub_size_t size, sz;
int found;
found = nvlist_find_value (nvlist, name, DATA_TYPE_NVLIST, &nvpair,
&size, 0);
if (!found)
return 0;
ret = grub_zalloc (size + 3 * sizeof (grub_uint32_t));
if (grub_add (size, 3 * sizeof (grub_uint32_t), &sz))
return 0;
ret = grub_zalloc (sz);
if (!ret)
return 0;
grub_memcpy (ret, nvlist, sizeof (grub_uint32_t));

7
grub-core/fs/zfs/zfscrypt.c
View file

@ -22,6 +22,7 @@
#include <grub/misc.h>
#include <grub/disk.h>
#include <grub/partition.h>
#include <grub/safemath.h>
#include <grub/dl.h>
#include <grub/types.h>
#include <grub/zfs/zfs.h>
@ -82,9 +83,13 @@ grub_zfs_add_key (grub_uint8_t *key_in,
int passphrase)
{
struct grub_zfs_wrap_key *key;
grub_size_t sz;
if (!passphrase && keylen > 32)
keylen = 32;
key = grub_malloc (sizeof (*key) + keylen);
if (grub_add (sizeof (*key), keylen, &sz))
return GRUB_ERR_OUT_OF_RANGE;
key = grub_malloc (sz);
if (!key)
return grub_errno;
key->is_passphrase = passphrase;