This attempts to fix the places where we do the following where
arithmetic_expr may include unvalidated data:
X = grub_malloc(arithmetic_expr);
It accomplishes this by doing the arithmetic ahead of time using grub_add(),
grub_sub(), grub_mul() and testing for overflow before proceeding.
Among other issues, this fixes:
- allocation of integer overflow in grub_video_bitmap_create()
reported by Chris Coulson,
- allocation of integer overflow in grub_png_decode_image_header()
reported by Chris Coulson,
- allocation of integer overflow in grub_squash_read_symlink()
reported by Chris Coulson,
- allocation of integer overflow in grub_ext2_read_symlink()
reported by Chris Coulson,
- allocation of integer overflow in read_section_as_string()
reported by Chris Coulson.
Fixes: CVE-2020-14309, CVE-2020-14310, CVE-2020-14311
Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
gcc says:
grub-core/fs/squash4.c: In function ‘direct_read’:
grub-core/fs/squash4.c:868:10: error: ‘err’ may be used uninitialized in
this function [-Werror=maybe-uninitialized]
868 | if (err)
| ^
cc1: all warnings being treated as errors
This patch initializes it to GRUB_ERR_NONE.
Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1. Do not assume block list and fragment are mutually exclusive. Squash
can pack file tail as fragment (unless -no-fragments is specified); so
check read offset and read either from block list or from fragments as
appropriate.
2. Support sparse files with zero blocks.
3. Fix fragment read - frag.offset is absolute fragment position,
not offset relative to ino.chunk.
Reported and tested by Carlo Caione <carlo@endlessm.com>
* grub-core/fs/squash4.c (grub_fshelp_node): New field stsize.
Make inode numbers into stack.
(grub_squash_read_symlink): Use stack.
(grub_squash_iterate_dir): Use stack. Create "." and ".." nodes.
(make_root_node): Fill stack.
(grub_squash_open): Use stack.
* grub-core/fs/squash4.c (grub_squash_super): Add block_size. Remove
unused flags.
(grub_squash_inode): Add long_file and block_size.
(grub_squash_cache_inode): New struct.
(grub_squash_dirent): Make types into enum.
(SQUASH_TYPE_LONG_REGULAR): New type.
(grub_squash_frag_desc): Add field size.
(SQUASH_BLOCK_FLAGS): New enum.
(grub_squash_data): Use grub_squash_cache_inode.
(grub_fshelp_node): Make ino_chunk 64-bit.
(read_chunk): Minor argument change. All users updated.
(squash_mount): Use correct le_to_cpu.
(grub_squash_open): Handle LONG_REGULAR.
(direct_read): New function.
(grub_squash_read_data): Handle blocks correctly.
