loader: validate cmdline string length before appending verity arg

grub-core/loader/i386/efi/linux.c

@@ -286,7 +286,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
                               linux_cmdline + sizeof (LINUX_IMAGE) - 1,
 			      lh.cmdline_size - (sizeof (LINUX_IMAGE) - 1));
 
-  grub_pass_verity_hash(&lh, linux_cmdline);
+  grub_pass_verity_hash(&lh, linux_cmdline, lh.cmdline_size);
   lh.cmd_line_ptr = (grub_uint32_t)(grub_uint64_t)linux_cmdline;
 
   handover_offset = lh.handover_offset;

grub-core/loader/i386/linux.c

@@ -1029,7 +1029,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
 			      maximal_cmdline_size
 			      - (sizeof (LINUX_IMAGE) - 1));
 
-  grub_pass_verity_hash(&lh, linux_cmdline);
+  grub_pass_verity_hash(&lh, linux_cmdline, maximal_cmdline_size);
   len = prot_file_size;
   grub_memcpy (prot_mode_mem, kernel + kernel_offset, len);
   kernel_offset += len;

grub-core/loader/i386/verity-hash.h

@@ -1,9 +1,11 @@
 #define VERITY_ARG " verity.usrhash="
+#define VERITY_ARG_LENGTH (sizeof (VERITY_ARG) - 1)
 #define VERITY_HASH_OFFSET 0x40
 #define VERITY_HASH_LENGTH 64
 
 static inline void grub_pass_verity_hash(struct linux_kernel_header *lh,
-					 char *cmdline)
+					 char *cmdline,
+					 grub_size_t cmdline_max_len)
 {
   char *buf = (char *)lh;
   grub_size_t cmdline_len;
@@ -16,10 +18,14 @@ static inline void grub_pass_verity_hash(struct linux_kernel_header *lh,
 	  return;
     }
 
-  grub_memcpy (cmdline + grub_strlen(cmdline), VERITY_ARG,
-	       sizeof (VERITY_ARG));
   cmdline_len = grub_strlen(cmdline);
+  if (cmdline_len + VERITY_ARG_LENGTH + VERITY_HASH_LENGTH > cmdline_max_len)
+    return;
+
+  grub_memcpy (cmdline + cmdline_len, VERITY_ARG, VERITY_ARG_LENGTH);
+  cmdline_len += VERITY_ARG_LENGTH;
   grub_memcpy (cmdline + cmdline_len, buf + VERITY_HASH_OFFSET,
 	       VERITY_HASH_LENGTH);
-  cmdline[cmdline_len + VERITY_HASH_LENGTH] = '\0';
+  cmdline_len += VERITY_HASH_LENGTH;
+  cmdline[cmdline_len] = '\0';
 }