malloc: Use overflow checking primitives where we do complex allocations
This attempts to fix the places where we do the following where
arithmetic_expr may include unvalidated data:
X = grub_malloc(arithmetic_expr);
It accomplishes this by doing the arithmetic ahead of time using grub_add(),
grub_sub(), grub_mul() and testing for overflow before proceeding.
Among other issues, this fixes:
- allocation of integer overflow in grub_video_bitmap_create()
reported by Chris Coulson,
- allocation of integer overflow in grub_png_decode_image_header()
reported by Chris Coulson,
- allocation of integer overflow in grub_squash_read_symlink()
reported by Chris Coulson,
- allocation of integer overflow in grub_ext2_read_symlink()
reported by Chris Coulson,
- allocation of integer overflow in read_section_as_string()
reported by Chris Coulson.
Fixes: CVE-2020-14309, CVE-2020-14310, CVE-2020-14311
Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This commit is contained in:
Peter Jones
Daniel Kiper
parent
f725fa7cb2
commit
3f05d693d1
23 changed files with 382 additions and 113 deletions
|
|
@ -55,6 +55,7 @@
|
|||
#include <grub/deflate.h>
|
||||
#include <grub/crypto.h>
|
||||
#include <grub/i18n.h>
|
||||
#include <grub/safemath.h>
|
||||
|
||||
GRUB_MOD_LICENSE ("GPLv3+");
|
||||
|
||||
|
|
@ -776,11 +777,14 @@ fill_vdev_info (struct grub_zfs_data *data,
|
|||
if (data->n_devices_attached > data->n_devices_allocated)
|
||||
{
|
||||
void *tmp;
|
||||
data->n_devices_allocated = 2 * data->n_devices_attached + 1;
|
||||
data->devices_attached
|
||||
= grub_realloc (tmp = data->devices_attached,
|
||||
data->n_devices_allocated
|
||||
* sizeof (data->devices_attached[0]));
|
||||
grub_size_t sz;
|
||||
|
||||
if (grub_mul (data->n_devices_attached, 2, &data->n_devices_allocated) ||
|
||||
grub_add (data->n_devices_allocated, 1, &data->n_devices_allocated) ||
|
||||
grub_mul (data->n_devices_allocated, sizeof (data->devices_attached[0]), &sz))
|
||||
return GRUB_ERR_OUT_OF_RANGE;
|
||||
|
||||
data->devices_attached = grub_realloc (tmp = data->devices_attached, sz);
|
||||
if (!data->devices_attached)
|
||||
{
|
||||
data->devices_attached = tmp;
|
||||
|
|
@ -3471,14 +3475,18 @@ grub_zfs_nvlist_lookup_nvlist (const char *nvlist, const char *name)
|
|||
{
|
||||
char *nvpair;
|
||||
char *ret;
|
||||
grub_size_t size;
|
||||
grub_size_t size, sz;
|
||||
int found;
|
||||
|
||||
found = nvlist_find_value (nvlist, name, DATA_TYPE_NVLIST, &nvpair,
|
||||
&size, 0);
|
||||
if (!found)
|
||||
return 0;
|
||||
ret = grub_zalloc (size + 3 * sizeof (grub_uint32_t));
|
||||
|
||||
if (grub_add (size, 3 * sizeof (grub_uint32_t), &sz))
|
||||
return 0;
|
||||
|
||||
ret = grub_zalloc (sz);
|
||||
if (!ret)
|
||||
return 0;
|
||||
grub_memcpy (ret, nvlist, sizeof (grub_uint32_t));
|
||||
|
|
|
|||
|
|
@ -22,6 +22,7 @@
|
|||
#include <grub/misc.h>
|
||||
#include <grub/disk.h>
|
||||
#include <grub/partition.h>
|
||||
#include <grub/safemath.h>
|
||||
#include <grub/dl.h>
|
||||
#include <grub/types.h>
|
||||
#include <grub/zfs/zfs.h>
|
||||
|
|
@ -82,9 +83,13 @@ grub_zfs_add_key (grub_uint8_t *key_in,
|
|||
int passphrase)
|
||||
{
|
||||
struct grub_zfs_wrap_key *key;
|
||||
grub_size_t sz;
|
||||
|
||||
if (!passphrase && keylen > 32)
|
||||
keylen = 32;
|
||||
key = grub_malloc (sizeof (*key) + keylen);
|
||||
if (grub_add (sizeof (*key), keylen, &sz))
|
||||
return GRUB_ERR_OUT_OF_RANGE;
|
||||
key = grub_malloc (sz);
|
||||
if (!key)
|
||||
return grub_errno;
|
||||
key->is_passphrase = passphrase;
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue