vbatts/grub
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Eliminate grub_min/grub_max prone to overflow usage.

Browse source 
* grub-core/bus/usb/usbhub.c (grub_usb_add_hub): Eliminate grub_min.
	(poll_nonroot_hub): Likewise.
	* grub-core/fs/affs.c (grub_affs_iterate_dir): Likewise.
	(grub_affs_label): Likewise.
	* grub-core/fs/btrfs.c (grub_btrfs_lzo_decompress): Likewise.
	* grub-core/fs/hfs.c (grub_hfs_dir): Likewise.
	(grub_hfs_label): Likewise.
	* grub-core/fs/hfsplus.c (grub_hfsplus_cmp_catkey): Likewise.
	* grub-core/fs/zfs/zfs.c (MIN): Remove.
	(zap_leaf_array_equal): Use grub_size. Remove MIN.
	(zap_leaf_array_get): Likewise.
	(dnode_get_path): Likewise.
	* grub-core/io/lzopio.c (grub_lzopio_read): Eliminate grub_min.
	* grub-core/io/xzio.c (grub_xzio_read): Likewise.
	* grub-core/script/execute.c (grub_script_break): Likewise.
	* grub-core/script/lexer.c (grub_script_lexer_record): Eliminate
	grub_max.
	* grub-core/script/yylex.l (grub_lexer_yyrealloc): Likewise.
	* include/grub/misc.h (grub_min): Removed.
	(grub_max): Likewise.
This commit is contained in:
Vladimir 'phcoder' Serbinenko 2012-01-14 15:44:34 +01:00
parent 80662dbc5d
commit 9c2710789f
13 changed files with 97 additions and 57 deletions
Download patch file Download diff file Expand all files Collapse all files

25
ChangeLog
View file

@ -1,3 +1,28 @@
2012-01-14 Vladimir Serbinenko <phcoder@gmail.com>
Eliminate grub_min/grub_max prone to overflow usage.
* grub-core/bus/usb/usbhub.c (grub_usb_add_hub): Eliminate grub_min.
(poll_nonroot_hub): Likewise.
* grub-core/fs/affs.c (grub_affs_iterate_dir): Likewise.
(grub_affs_label): Likewise.
* grub-core/fs/btrfs.c (grub_btrfs_lzo_decompress): Likewise.
* grub-core/fs/hfs.c (grub_hfs_dir): Likewise.
(grub_hfs_label): Likewise.
* grub-core/fs/hfsplus.c (grub_hfsplus_cmp_catkey): Likewise.
* grub-core/fs/zfs/zfs.c (MIN): Remove.
(zap_leaf_array_equal): Use grub_size. Remove MIN.
(zap_leaf_array_get): Likewise.
(dnode_get_path): Likewise.
* grub-core/io/lzopio.c (grub_lzopio_read): Eliminate grub_min.
* grub-core/io/xzio.c (grub_xzio_read): Likewise.
* grub-core/script/execute.c (grub_script_break): Likewise.
* grub-core/script/lexer.c (grub_script_lexer_record): Eliminate
grub_max.
* grub-core/script/yylex.l (grub_lexer_yyrealloc): Likewise.
* include/grub/misc.h (grub_min): Removed.
(grub_max): Likewise.
2012-01-14 Samuel Thibault <samuel.thibault@ens-lyon.org> 2012-01-14 Samuel Thibault <samuel.thibault@ens-lyon.org>
* grub-core/fs/ext2.c (grub_ext2_iterate_dir): Ignore entries with * grub-core/fs/ext2.c (grub_ext2_iterate_dir): Ignore entries with

17
grub-core/bus/usb/usbhub.c
View file

@ -158,11 +158,13 @@ grub_usb_add_hub (grub_usb_device_t dev)
if ((endp->endp_addr & 128) && grub_usb_get_ep_type(endp) if ((endp->endp_addr & 128) && grub_usb_get_ep_type(endp)
== GRUB_USB_EP_INTERRUPT) == GRUB_USB_EP_INTERRUPT)
{ {
grub_size_t len;
dev->hub_endpoint = endp; dev->hub_endpoint = endp;
len = endp->maxpacket;
if (len > sizeof (dev->statuschange))
len = sizeof (dev->statuschange);
dev->hub_transfer dev->hub_transfer
= grub_usb_bulk_read_background (dev, endp->endp_addr, = grub_usb_bulk_read_background (dev, endp->endp_addr, len,
grub_min (endp->maxpacket,
sizeof (dev->statuschange)),
(char *) &dev->statuschange); (char *) &dev->statuschange);
break; break;
} }
@ -314,7 +316,7 @@ poll_nonroot_hub (grub_usb_device_t dev)
grub_usb_err_t err; grub_usb_err_t err;
unsigned i; unsigned i;
grub_uint8_t changed; grub_uint8_t changed;
grub_size_t actual; grub_size_t actual, len;
int j, total; int j, total;
if (!dev->hub_transfer) if (!dev->hub_transfer)
@ -327,10 +329,11 @@ poll_nonroot_hub (grub_usb_device_t dev)
changed = dev->statuschange; changed = dev->statuschange;
len = dev->hub_endpoint->maxpacket;
if (len > sizeof (dev->statuschange))
len = sizeof (dev->statuschange);
dev->hub_transfer dev->hub_transfer
= grub_usb_bulk_read_background (dev, dev->hub_endpoint->endp_addr, = grub_usb_bulk_read_background (dev, dev->hub_endpoint->endp_addr, len,
grub_min (dev->hub_endpoint->maxpacket,
sizeof (dev->statuschange)),
(char *) &dev->statuschange); (char *) &dev->statuschange);
if (err || actual == 0 || changed == 0) if (err || actual == 0 || changed == 0)

11
grub-core/fs/affs.c
View file

@ -305,6 +305,7 @@ grub_affs_iterate_dir (grub_fshelp_node_t dir,
{ {
int type; int type;
grub_uint8_t name_u8[sizeof (fil->name) * GRUB_MAX_UTF8_PER_LATIN1 + 1]; grub_uint8_t name_u8[sizeof (fil->name) * GRUB_MAX_UTF8_PER_LATIN1 + 1];
grub_size_t len;
node = grub_zalloc (sizeof (*node)); node = grub_zalloc (sizeof (*node));
if (!node) if (!node)
@ -327,8 +328,10 @@ grub_affs_iterate_dir (grub_fshelp_node_t dir,
node->di = *fil; node->di = *fil;
node->parent = dir; node->parent = dir;
*grub_latin1_to_utf8 (name_u8, fil->name, len = fil->namelen;
grub_min (fil->namelen, sizeof (fil->name))) = '\0'; if (len > sizeof (fil->name))
len = sizeof (fil->name);
*grub_latin1_to_utf8 (name_u8, fil->name, len) = '\0';
if (hook ((char *) name_u8, type, node)) if (hook ((char *) name_u8, type, node))
{ {
@ -540,7 +543,9 @@ grub_affs_label (grub_device_t device, char **label)
if (grub_errno) if (grub_errno)
return 0; return 0;
len = grub_min (file.namelen, sizeof (file.name)); len = file.namelen;
if (len > sizeof (file.name))
len = sizeof (file.name);
*label = grub_malloc (len * GRUB_MAX_UTF8_PER_LATIN1 + 1); *label = grub_malloc (len * GRUB_MAX_UTF8_PER_LATIN1 + 1);
if (*label) if (*label)
*grub_latin1_to_utf8 ((grub_uint8_t *) *label, file.name, len) = '\0'; *grub_latin1_to_utf8 ((grub_uint8_t *) *label, file.name, len) = '\0';

8
grub-core/fs/btrfs.c
View file

@ -928,13 +928,17 @@ grub_btrfs_lzo_decompress(char *ibuf, grub_size_t isize, grub_off_t off,
/* Block partially filled with requested data. */ /* Block partially filled with requested data. */
if (off > 0 || osize < GRUB_BTRFS_LZO_BLOCK_SIZE) if (off > 0 || osize < GRUB_BTRFS_LZO_BLOCK_SIZE)
{ {
grub_size_t to_copy = grub_min(osize, GRUB_BTRFS_LZO_BLOCK_SIZE - off); grub_size_t to_copy = GRUB_BTRFS_LZO_BLOCK_SIZE - off;
if (to_copy > osize)
to_copy = osize;
if (lzo1x_decompress_safe ((lzo_bytep)ibuf, cblock_size, buf, &usize, if (lzo1x_decompress_safe ((lzo_bytep)ibuf, cblock_size, buf, &usize,
NULL) != LZO_E_OK) NULL) != LZO_E_OK)
return -1; return -1;
to_copy = grub_min(to_copy, usize); if (to_copy > usize)
to_copy = usize;
grub_memcpy(obuf, buf + off, to_copy); grub_memcpy(obuf, buf + off, to_copy);
osize -= to_copy; osize -= to_copy;

13
grub-core/fs/hfs.c
View file

@ -1150,10 +1150,14 @@ grub_hfs_dir (grub_device_t device, const char *path,
struct grub_hfs_catalog_key *ckey = rec->key; struct grub_hfs_catalog_key *ckey = rec->key;
char fname[sizeof (ckey->str) * MAX_UTF8_PER_MAC_ROMAN + 1] = { 0 }; char fname[sizeof (ckey->str) * MAX_UTF8_PER_MAC_ROMAN + 1] = { 0 };
struct grub_dirhook_info info; struct grub_dirhook_info info;
grub_size_t len;
grub_memset (&info, 0, sizeof (info)); grub_memset (&info, 0, sizeof (info));
macroman_to_utf8 (fname, ckey->str, grub_min (ckey->strlen, len = ckey->strlen;
sizeof (ckey->str))); if (len > sizeof (ckey->str))
len = sizeof (ckey->str);
macroman_to_utf8 (fname, ckey->str, len);
info.case_insensitive = 1; info.case_insensitive = 1;
@ -1272,8 +1276,9 @@ grub_hfs_label (grub_device_t device, char **label)
if (data) if (data)
{ {
grub_size_t len = grub_min (sizeof (data->sblock.volname) - 1, grub_size_t len = data->sblock.volname[0];
data->sblock.volname[0]); if (len > sizeof (data->sblock.volname) - 1)
len = sizeof (data->sblock.volname) - 1;
*label = grub_malloc (len * MAX_UTF8_PER_MAC_ROMAN + 1); *label = grub_malloc (len * MAX_UTF8_PER_MAC_ROMAN + 1);
if (*label) if (*label)
macroman_to_utf8 (*label, data->sblock.volname + 1, macroman_to_utf8 (*label, data->sblock.volname + 1,

8
grub-core/fs/hfsplus.c
View file

@ -520,6 +520,7 @@ grub_hfsplus_cmp_catkey (struct grub_hfsplus_key *keya,
struct grub_hfsplus_catkey *catkey_a = &keya->catkey; struct grub_hfsplus_catkey *catkey_a = &keya->catkey;
struct grub_hfsplus_catkey_internal *catkey_b = &keyb->catkey; struct grub_hfsplus_catkey_internal *catkey_b = &keyb->catkey;
int diff; int diff;
grub_size_t len;
/* Safe unsigned comparison */ /* Safe unsigned comparison */
grub_uint32_t aparent = grub_be_to_cpu32 (catkey_a->parent); grub_uint32_t aparent = grub_be_to_cpu32 (catkey_a->parent);
@ -528,10 +529,11 @@ grub_hfsplus_cmp_catkey (struct grub_hfsplus_key *keya,
if (aparent < catkey_b->parent) if (aparent < catkey_b->parent)
return -1; return -1;
len = grub_be_to_cpu16 (catkey_a->namelen);
if (len > catkey_b->namelen)
len = catkey_b->namelen;
diff = grub_memcmp (catkey_a->name, catkey_b->name, diff = grub_memcmp (catkey_a->name, catkey_b->name,
grub_min (grub_be_to_cpu16 (catkey_a->namelen), len * sizeof (catkey_a->name[0]));
catkey_b->namelen)
* sizeof (catkey_a->name[0]));
if (diff == 0) if (diff == 0)
diff = grub_be_to_cpu16 (catkey_a->namelen) - catkey_b->namelen; diff = grub_be_to_cpu16 (catkey_a->namelen) - catkey_b->namelen;

28
grub-core/fs/zfs/zfs.c
View file

@ -58,8 +58,6 @@ GRUB_MOD_LICENSE ("GPLv3+");
#define ZPOOL_PROP_BOOTFS "bootfs" #define ZPOOL_PROP_BOOTFS "bootfs"
#define MIN(a,b) (((a) < (b)) ? (a) : (b))
/* /*
* For nvlist manipulation. (from nvpair.h) * For nvlist manipulation. (from nvpair.h)
*/ */
@ -1842,18 +1840,21 @@ name_cmp (const char *s1, const char *s2, grub_size_t n,
/* XXX */ /* XXX */
static int static int
zap_leaf_array_equal (zap_leaf_phys_t * l, grub_zfs_endian_t endian, zap_leaf_array_equal (zap_leaf_phys_t * l, grub_zfs_endian_t endian,
int blksft, int chunk, int array_len, const char *buf, int blksft, int chunk, grub_size_t array_len,
int case_insensitive) const char *buf, int case_insensitive)
{ {
int bseen = 0; grub_size_t bseen = 0;
while (bseen < array_len) while (bseen < array_len)
{ {
struct zap_leaf_array *la = &ZAP_LEAF_CHUNK (l, blksft, chunk)->l_array; struct zap_leaf_array *la = &ZAP_LEAF_CHUNK (l, blksft, chunk)->l_array;
int toread = MIN (array_len - bseen, ZAP_LEAF_ARRAY_BYTES); grub_size_t toread = array_len - bseen;
if (toread > ZAP_LEAF_ARRAY_BYTES)
toread = ZAP_LEAF_ARRAY_BYTES;
if (chunk >= ZAP_LEAF_NUMCHUNKS (blksft)) if (chunk >= ZAP_LEAF_NUMCHUNKS (blksft))
return (0); return 0;
if (name_cmp ((char *) la->la_array, buf + bseen, toread, if (name_cmp ((char *) la->la_array, buf + bseen, toread,
case_insensitive) != 0) case_insensitive) != 0)
@ -1867,14 +1868,17 @@ zap_leaf_array_equal (zap_leaf_phys_t * l, grub_zfs_endian_t endian,
/* XXX */ /* XXX */
static grub_err_t static grub_err_t
zap_leaf_array_get (zap_leaf_phys_t * l, grub_zfs_endian_t endian, int blksft, zap_leaf_array_get (zap_leaf_phys_t * l, grub_zfs_endian_t endian, int blksft,
int chunk, int array_len, char *buf) int chunk, grub_size_t array_len, char *buf)
{ {
int bseen = 0; grub_size_t bseen = 0;
while (bseen < array_len) while (bseen < array_len)
{ {
struct zap_leaf_array *la = &ZAP_LEAF_CHUNK (l, blksft, chunk)->l_array; struct zap_leaf_array *la = &ZAP_LEAF_CHUNK (l, blksft, chunk)->l_array;
int toread = MIN (array_len - bseen, ZAP_LEAF_ARRAY_BYTES); grub_size_t toread = array_len - bseen;
if (toread > ZAP_LEAF_ARRAY_BYTES)
toread = ZAP_LEAF_ARRAY_BYTES;
if (chunk >= ZAP_LEAF_NUMCHUNKS (blksft)) if (chunk >= ZAP_LEAF_NUMCHUNKS (blksft))
/* Don't use grub_error because this error is to be ignored. */ /* Don't use grub_error because this error is to be ignored. */
@ -2516,7 +2520,9 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
if (err) if (err)
return err; return err;
movesize = MIN (sym_sz - block * blksz, blksz); movesize = sym_sz - block * blksz;
if (movesize > blksz)
movesize = blksz;
grub_memcpy (sym_value + block * blksz, t, movesize); grub_memcpy (sym_value + block * blksz, t, movesize);
grub_free (t); grub_free (t);

6
grub-core/io/lzopio.c
View file

@ -500,14 +500,16 @@ grub_lzopio_read (grub_file_t file, char *buf, grub_size_t len)
while (len != 0 && lzopio->block.usize != 0) while (len != 0 && lzopio->block.usize != 0)
{ {
long to_copy; grub_size_t to_copy;
/* Block not decompressed yet. */ /* Block not decompressed yet. */
if (!lzopio->block.udata && uncompress_block (lzopio) < 0) if (!lzopio->block.udata && uncompress_block (lzopio) < 0)
goto CORRUPTED; goto CORRUPTED;
/* Copy requested data into buffer. */ /* Copy requested data into buffer. */
to_copy = grub_min (lzopio->block.usize - off, len); to_copy = lzopio->block.usize - off;
if (to_copy > len)
to_copy = len;
grub_memcpy (buf, lzopio->block.udata + off, to_copy); grub_memcpy (buf, lzopio->block.udata + off, to_copy);
len -= to_copy; len -= to_copy;

6
grub-core/io/xzio.c
View file

@ -266,9 +266,9 @@ grub_xzio_read (grub_file_t file, char *buf, grub_size_t len)
while (len > 0) while (len > 0)
{ {
xzio->buf.out_size = grub_min (file->offset + ret + len - current_offset, xzio->buf.out_size = file->offset + ret + len - current_offset;
XZBUFSIZ); if (xzio->buf.out_size > XZBUFSIZ)
xzio->buf.out_size = XZBUFSIZ;
/* Feed input. */ /* Feed input. */
if (xzio->buf.in_pos == xzio->buf.in_size) if (xzio->buf.in_pos == xzio->buf.in_size)
{ {

4
grub-core/script/execute.c
View file

@ -82,7 +82,9 @@ grub_script_break (grub_command_t cmd, int argc, char *argv[])
return grub_error (GRUB_ERR_BAD_ARGUMENT, "bad break"); return grub_error (GRUB_ERR_BAD_ARGUMENT, "bad break");
is_continue = grub_strcmp (cmd->name, "break") ? 1 : 0; is_continue = grub_strcmp (cmd->name, "break") ? 1 : 0;
active_breaks = grub_min (active_loops, count); active_breaks = count;
if (active_breaks > active_loops)
active_breaks = active_loops;
return GRUB_ERR_NONE; return GRUB_ERR_NONE;
} }

4
grub-core/script/lexer.c
View file

@ -107,7 +107,9 @@ grub_script_lexer_record (struct grub_parser_param *parser, char *str)
if (lexer->recordpos + len + 1 > lexer->recordlen) if (lexer->recordpos + len + 1 > lexer->recordlen)
{ {
old = lexer->recording; old = lexer->recording;
lexer->recordlen = grub_max (len, lexer->recordlen) * 2; if (lexer->recordlen < len)
lexer->recordlen = len;
lexer->recordlen *= 2;
lexer->recording = grub_realloc (lexer->recording, lexer->recordlen); lexer->recording = grub_realloc (lexer->recording, lexer->recordlen);
if (!lexer->recording) if (!lexer->recording)
{ {

6
grub-core/script/yylex.l
View file

@ -316,14 +316,16 @@ grub_lexer_yyrealloc (void *ptr, yy_size_t size,
static void copy_string (struct grub_parser_param *parser, const char *str, unsigned hint) static void copy_string (struct grub_parser_param *parser, const char *str, unsigned hint)
{ {
int size; grub_size_t size;
char *ptr; char *ptr;
unsigned len; unsigned len;
len = hint ? hint : grub_strlen (str); len = hint ? hint : grub_strlen (str);
if (parser->lexerstate->used + len >= parser->lexerstate->size) if (parser->lexerstate->used + len >= parser->lexerstate->size)
{ {
size = grub_max (len, parser->lexerstate->size) * 2; size = len * 2;
if (size < parser->lexerstate->size * 2)
size = parser->lexerstate->size * 2;
ptr = grub_realloc (parser->lexerstate->text, size); ptr = grub_realloc (parser->lexerstate->text, size);
if (!ptr) if (!ptr)
{ {

18
include/grub/misc.h
View file

@ -393,24 +393,6 @@ grub_abs (int x)
return (unsigned int) x; return (unsigned int) x;
} }
static inline long
grub_min (long x, long y)
{
if (x < y)
return x;
else
return y;
}
static inline long
grub_max (long x, long y)
{
if (x > y)
return x;
else
return y;
}
/* Rounded-up division */ /* Rounded-up division */
static inline unsigned int static inline unsigned int
grub_div_roundup (unsigned int x, unsigned int y) grub_div_roundup (unsigned int x, unsigned int y)