term: Fix overflow on user inputs

This requires a very weird input from the serial interface but can cause
an overflow in input_buf (keys) overwriting the next variable (npending)
with the user choice:

(pahole output)

struct grub_terminfo_input_state {
        int                        input_buf[6];         /*     0    24 */
        int                        npending;             /*    24     4 */ <- CORRUPT
        ...snip...

The magic string requires causing this is "ESC,O,],0,1,2,q" and we overflow
npending with "q" (aka increase npending to 161). The simplest fix is to
just to disallow overwrites input_buf, which exactly what this patch does.

Fixes: CID 292449

Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This commit is contained in:
Konrad Rzeszutek Wilk 2020-07-07 15:12:25 -04:00 committed by Daniel Kiper
parent 16c0dbf4bc
commit 61b7ca08d1

View file

@ -398,7 +398,7 @@ grub_terminfo_getwh (struct grub_term_output *term)
}
static void
grub_terminfo_readkey (struct grub_term_input *term, int *keys, int *len,
grub_terminfo_readkey (struct grub_term_input *term, int *keys, int *len, int max_len,
int (*readkey) (struct grub_term_input *term))
{
int c;
@ -414,6 +414,9 @@ grub_terminfo_readkey (struct grub_term_input *term, int *keys, int *len,
if (c == -1) \
return; \
\
if (*len >= max_len) \
return; \
\
keys[*len] = c; \
(*len)++; \
}
@ -602,8 +605,8 @@ grub_terminfo_getkey (struct grub_term_input *termi)
return ret;
}
grub_terminfo_readkey (termi, data->input_buf,
&data->npending, data->readkey);
grub_terminfo_readkey (termi, data->input_buf, &data->npending,
GRUB_TERMINFO_READKEY_MAX_LEN, data->readkey);
#if defined(__powerpc__) && defined(GRUB_MACHINE_IEEE1275)
if (data->npending == 1 && data->input_buf[0] == GRUB_TERM_ESC