relocator: Protect grub_relocator_alloc_chunk_addr() input args against integer underflow/overflow

Use arithmetic macros from safemath.h to accomplish it. In this commit, I didn't want to be too paranoid to check every possible math equation for overflow/underflow. Only obvious places (with non zero chance of overflow/underflow) were refactored. Signed-off-by: Alexey Makhalov <amakhalov@vmware.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2020-07-15 06:42:37 +00:00 · 2020-07-15 06:42:37 +00:00 · caea56d1f8
commit caea56d1f8
parent 781b3e5efc
4 changed files with 31 additions and 10 deletions
--- a/grub-core/loader/i386/linux.c
+++ b/grub-core/loader/i386/linux.c
@ -36,6 +36,7 @@
 #include <grub/lib/cmdline.h>
 #include <grub/linux.h>
 #include <grub/machine/kernel.h>
+#include <grub/safemath.h>

 GRUB_MOD_LICENSE ("GPLv3+");

@ -547,9 +548,13 @@ grub_linux_boot (void)

  {
    grub_relocator_chunk_t ch;
+    grub_size_t sz;
+
+    if (grub_add (ctx.real_size, efi_mmap_size, &sz))
+      return GRUB_ERR_OUT_OF_RANGE;
+
    err = grub_relocator_alloc_chunk_addr (relocator, &ch,
-					   ctx.real_mode_target,
-					   (ctx.real_size + efi_mmap_size));
+					   ctx.real_mode_target, sz);
    if (err)
     return err;
    real_mode_mem = get_virtual_current_address (ch);
--- a/grub-core/loader/i386/pc/linux.c
+++ b/grub-core/loader/i386/pc/linux.c
@ -35,6 +35,7 @@
 #include <grub/i386/floppy.h>
 #include <grub/lib/cmdline.h>
 #include <grub/linux.h>
+#include <grub/safemath.h>

 GRUB_MOD_LICENSE ("GPLv3+");

@ -218,8 +219,12 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
    setup_sects = GRUB_LINUX_DEFAULT_SETUP_SECTS;

  real_size = setup_sects << GRUB_DISK_SECTOR_BITS;
-  grub_linux16_prot_size = grub_file_size (file)
-    - real_size - GRUB_DISK_SECTOR_SIZE;
+  if (grub_sub (grub_file_size (file), real_size, &grub_linux16_prot_size) ||
+      grub_sub (grub_linux16_prot_size, GRUB_DISK_SECTOR_SIZE, &grub_linux16_prot_size))
+    {
+      grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
+      goto fail;
+    }

  if (! grub_linux_is_bzimage
      && GRUB_LINUX_ZIMAGE_ADDR + grub_linux16_prot_size
--- a/grub-core/loader/i386/xen.c
+++ b/grub-core/loader/i386/xen.c
@ -41,6 +41,7 @@
 #include <grub/linux.h>
 #include <grub/i386/memory.h>
 #include <grub/verify.h>
+#include <grub/safemath.h>

 GRUB_MOD_LICENSE ("GPLv3+");

@ -636,6 +637,7 @@ grub_cmd_xen (grub_command_t cmd __attribute__ ((unused)),
  grub_relocator_chunk_t ch;
  grub_addr_t kern_start;
  grub_addr_t kern_end;
+  grub_size_t sz;

  if (argc == 0)
    return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
@ -703,8 +705,14 @@ grub_cmd_xen (grub_command_t cmd __attribute__ ((unused)),

  xen_state.max_addr = ALIGN_UP (kern_end, PAGE_SIZE);

-  err = grub_relocator_alloc_chunk_addr (xen_state.relocator, &ch, kern_start,
-					 kern_end - kern_start);
+
+  if (grub_sub (kern_end, kern_start, &sz))
+    {
+      err = GRUB_ERR_OUT_OF_RANGE;
+      goto fail;
+    }
+
+  err = grub_relocator_alloc_chunk_addr (xen_state.relocator, &ch, kern_start, sz);
  if (err)
    goto fail;
  kern_chunk_src = get_virtual_current_address (ch);