Commit graph

100 commits

Author SHA1 Message Date
Peter Jones
f725fa7cb2 calloc: Use calloc() at most places
This modifies most of the places we do some form of:

  X = malloc(Y * Z);

to use calloc(Y, Z) instead.

Among other issues, this fixes:
  - allocation of integer overflow in grub_png_decode_image_header()
    reported by Chris Coulson,
  - allocation of integer overflow in luks_recover_key()
    reported by Chris Coulson,
  - allocation of integer overflow in grub_lvm_detect()
    reported by Chris Coulson.

Fixes: CVE-2020-14308

Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2020-07-29 16:55:47 +02:00
Peter Jones
d5a32255de misc: Make grub_strtol() "end" pointers have safer const qualifiers
Currently the string functions grub_strtol(), grub_strtoul(), and
grub_strtoull() don't declare the "end" pointer in such a way as to
require the pointer itself or the character array to be immutable to the
implementation, nor does the C standard do so in its similar functions,
though it does require us not to change any of it.

The typical declarations of these functions follow this pattern:

long
strtol(const char * restrict nptr, char ** restrict endptr, int base);

Much of the reason for this is historic, and a discussion of that
follows below, after the explanation of this change.  (GRUB currently
does not include the "restrict" qualifiers, and we name the arguments a
bit differently.)

The implementation is semantically required to treat the character array
as immutable, but such accidental modifications aren't stopped by the
compiler, and the semantics for both the callers and the implementation
of these functions are sometimes also helped by adding that requirement.

This patch changes these declarations to follow this pattern instead:

long
strtol(const char * restrict nptr,
       const char ** const restrict endptr,
       int base);

This means that if any modification to these functions accidentally
introduces either an errant modification to the underlying character
array, or an accidental assignment to endptr rather than *endptr, the
compiler should generate an error.  (The two uses of "restrict" in this
case basically mean strtol() isn't allowed to modify the character array
by going through *endptr, and endptr isn't allowed to point inside the
array.)

It also means the typical use case changes to:

  char *s = ...;
  const char *end;
  long l;

  l = strtol(s, &end, 10);

Or even:

  const char *p = str;
  while (p && *p) {
	  long l = strtol(p, &p, 10);
	  ...
  }

This fixes 26 places where we discard our attempts at treating the data
safely by doing:

  const char *p = str;
  long l;

  l = strtol(p, (char **)&ptr, 10);

It also adds 5 places where we do:

  char *p = str;
  while (p && *p) {
	  long l = strtol(p, (const char ** const)&p, 10);
	  ...
	  /* more calls that need p not to be pointer-to-const */
  }

While moderately distasteful, this is a better problem to have.

With one minor exception, I have tested that all of this compiles
without relevant warnings or errors, and that /much/ of it behaves
correctly, with gcc 9 using 'gcc -W -Wall -Wextra'.  The one exception
is the changes in grub-core/osdep/aros/hostdisk.c , which I have no idea
how to build.

Because the C standard defined type-qualifiers in a way that can be
confusing, in the past there's been a slow but fairly regular stream of
churn within our patches, which add and remove the const qualifier in many
of the users of these functions.  This change should help avoid that in
the future, and in order to help ensure this, I've added an explanation
in misc.h so that when someone does get a compiler warning about a type
error, they have the fix at hand.

The reason we don't have "const" in these calls in the standard is
purely anachronistic: C78 (de facto) did not have type qualifiers in the
syntax, and the "const" type qualifier was added for C89 (I think; it
may have been later).  strtol() appears to date from 4.3BSD in 1986,
which means it could not be added to those functions in the standard
without breaking compatibility, which is usually avoided.

The syntax chosen for type qualifiers is what has led to the churn
regarding usage of const, and is especially confusing on string
functions due to the lack of a string type.  Quoting from C99, the
syntax is:

 declarator:
  pointer[opt] direct-declarator
 direct-declarator:
  identifier
  ( declarator )
  direct-declarator [ type-qualifier-list[opt] assignment-expression[opt] ]
  ...
  direct-declarator [ type-qualifier-list[opt] * ]
  ...
 pointer:
  * type-qualifier-list[opt]
  * type-qualifier-list[opt] pointer
 type-qualifier-list:
  type-qualifier
  type-qualifier-list type-qualifier
 ...
 type-qualifier:
  const
  restrict
  volatile

So the examples go like:

const char foo;			// immutable object
const char *foo;		// mutable pointer to object
char * const foo;		// immutable pointer to mutable object
const char * const foo;		// immutable pointer to immutable object
const char const * const foo; 	// XXX extra const keyword in the middle
const char * const * const foo; // immutable pointer to immutable
				//   pointer to immutable object
const char ** const foo;	// immutable pointer to mutable pointer
				//   to immutable object

Making const left-associative for * and right-associative for everything
else may not have been the best choice ever, but here we are, and the
inevitable result is people using trying to use const (as they should!),
putting it at the wrong place, fighting with the compiler for a bit, and
then either removing it or typecasting something in a bad way.  I won't
go into describing restrict, but its syntax has exactly the same issue
as with const.

Anyway, the last example above actually represents the *behavior* that's
required of strtol()-like functions, so that's our choice for the "end"
pointer.

Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2020-02-28 12:41:29 +01:00
Vladimir Serbinenko
061258a05e Regenerate checksum.h with newer unifont.
Old link is broken. New unifont is
http://ftp.de.debian.org/debian/pool/main/u/unifont/xfonts-unifont_9.0.06-2_all.deb
2017-08-30 17:12:04 +02:00
Pete Batard
bdd89d239c core: use GRUB_TERM_ definitions when handling term characters
* Also use hex value for GRUB_TERM_ESC as '\e' is not in the C standard and is not understood by some compilers
2017-08-07 19:28:22 +02:00
Vladimir Serbinenko
dc6e1b5af8 strtoull: Fix behaviour on chars between '9' and 'a'.
Reported by: Aaron Miller <aaronmiller@fb.com>
2017-05-03 12:59:58 +02:00
Vladimir Serbinenko
b0bad6fd94 Bump version to 2.03 2017-05-03 11:55:52 +02:00
Vladimir Serbinenko
e54c99aaff Increase version to 2.02. 2017-04-25 16:23:16 +02:00
Andrei Borzenkov
4bd4a88725 i386, x86_64, ppc: fix switch fallthrough cases with GCC7
In util/getroot and efidisk slightly modify exitsing comment to mostly
retain it but still make GCC7 compliant with respect to fall through
annotation.

In grub-core/lib/xzembed/xz_dec_lzma2.c it adds same comments as
upstream.

In grub-core/tests/setjmp_tets.c declare functions as "noreturn" to
suppress GCC7 warning.

In grub-core/gnulib/regexec.c use new __attribute__, because existing
annotation is not recognized by GCC7 parser (which requires that comment
immediately precedes case statement).

Otherwise add FALLTHROUGH comment.

Closes: 50598
2017-04-04 19:23:55 +03:00
Vladimir Serbinenko
8014b7b337 Increment version to GRUB 2.02~rc2. 2017-03-15 09:20:29 +01:00
Vladimir Serbinenko
ec4aca088a Fix truncated checksum.h. 2017-02-03 20:17:48 +01:00
Vladimir Serbinenko
fcb1528d93 Regenerate checksums.h
Screenshots contain version, so we need new checksums.
2017-02-03 13:44:56 +01:00
Vladimir Serbinenko
08438d783f Add missing strtoull_test.c
It was forgotten in my local directory.
2017-02-01 21:50:17 +01:00
Vladimir Serbinenko
0704e83a1b Regenerate checksum.h.
Screenshots checked.
Using unifont from http://ftp.us.debian.org/debian/pool/main/u/unifont/xfonts-unifont_7.0.06-1_all.deb.
2017-01-31 22:36:11 +01:00
Vladimir Serbinenko
06a3b0b214 Regenerate checksums 2016-02-26 11:37:47 +01:00
Vladimir Serbinenko
cc2ed41039 arm: Ignore qemu clock bug 2016-01-22 10:12:43 +01:00
Vladimir Serbinenko
300be005a8 Update checksums 2016-01-05 11:55:30 +01:00
Vladimir Serbinenko
064360e667 Remove libgcc dependency.
libgcc for boot environment isn't always present and compatible.
libgcc is often absent if endianness or bit-size at boot is different
from running OS.
libgcc may use optimised opcodes that aren't available on boot time.
So instead of relying on libgcc shipped with the compiler, supply
the functions in GRUB directly.
Tests are present to ensure that those replacement functions behave the
way compiler expects them to.
2015-03-03 20:50:37 +01:00
Vladimir Serbinenko
f034fab620 Supply signed division to fix ARM compilation.
Previously we supplied only unsigned divisions on platforms that need software
division.
Yet compiler may itself use a signed division. A typical example would be a
difference between 2 pointers which involves division by object size.
2015-02-23 04:12:04 +01:00
Vladimir Serbinenko
e77dc3d9a0 kernel-8086: Switch to more portable .org. 2015-02-21 20:24:59 +01:00
Vladimir Serbinenko
2426ac36d3 div_test: Don't try to divide by zero 2015-02-21 16:05:45 +01:00
Andrey Borzenkov
954fe77163 cleanup: grub_cpu_to_XXX_compile_time for constants
This tries to catch all cases where grub_cpu_to_XXX was used for constant
expressions (including sizeof).
2014-09-22 20:47:10 +04:00
Vladimir Serbinenko
41c6f91fce * grub-core/normal/main.c: Don't drop to rescue console in
case of password-protected prompt and no menu entries.
2014-09-21 18:51:09 +02:00
Vladimir Serbinenko
5e42618e00 Fix wrong commit 2014-09-21 18:18:03 +02:00
Michael Chang
0aece00c54 * grub-core/osdep/unix/config.c: Remove extraneous comma. 2014-09-21 17:49:13 +02:00
Vladimir Serbinenko
2a123f4c58 * grub-core/tests/sleep_test.c: Silence spurious warning. 2013-12-16 20:32:43 +01:00
Vladimir Serbinenko
04b0285701 New functional test for sleep function.
This test allows to check sleep without qemu. Keep qemu version as
	well as functional test won't notice if all clocks are going too fast
	or too slow.
2013-12-15 17:57:58 +01:00
Vladimir Serbinenko
7e47e27bd8 Add gcc_struct to all packed structures when compiling with mingw.
Just "packed" doesn't always pack the way we expect.
2013-12-15 14:14:30 +01:00
Vladimir Serbinenko
dafff9ce44 * grub-core/normal/charset.c: Fix premature line wrap and crash.
Crash happened only in some cases like a string starting at the
	half of the screen of same length.
2013-12-11 17:06:00 +01:00
Vladimir Serbinenko
c311ced5d7 Make arm-emu work. 2013-12-08 02:59:21 +01:00
Vladimir Serbinenko
ea7c1a7d90 * grub-core/tests/videotest_checksum.c: Don't reload unifont if it's
already loaded. This saves memory needed for tests,
2013-11-18 14:38:31 +01:00
Vladimir Serbinenko
f8b4c3b6b3 * grub-core/tests/gfxterm_menu.c: Skip high-resolution tests on
low-memory platforms where we don't have enough memory for them.
	* grub-core/tests/videotest_checksum.c: Likewise.
2013-11-18 11:48:07 +01:00
Vladimir Serbinenko
4bf703206d * grub-core/tests/cmdline_cat_test.c: Don't reload unifont if it's
already loaded. This saves memory needed for tests,
2013-11-18 11:45:55 +01:00
Vladimir Serbinenko
0ab8e025c1 * grub-core/tests/cmdline_cat_test.c (cmdline_cat_test): Ignore errors
of loading gfxterm as gfxterm is embed in kernel on some platforms.
	* grub-core/tests/gfxterm_menu.c (gfxterm_menu): Likewise.
	Load gfxmenu.
2013-11-17 02:13:33 +01:00
Vladimir Serbinenko
b0720b4988 * grub-core/Makefile.core.def (legacy_password_test): Disable
on platforms where no legacycfg is compiled.
	* grub-core/tests/lib/functional_test.c: Tolerate failure to
	load legacy_password_test.
2013-11-12 18:44:58 +01:00
Vladimir Serbinenko
61c22fdf36 * grub-core/tests/signature_test.c: New test. 2013-11-12 16:05:57 +01:00
Vladimir Serbinenko
b521bb816d * grub-core/tests/legacy_password_test.c (vectors): Make static.
* grub-core/tests/pbkdf2_test.c (vectors): Likewise.
2013-11-12 15:59:58 +01:00
Vladimir Serbinenko
7d06b24eac * grub-core/tests/setjmp_test.c: Reset counter to 0 before starting. 2013-11-12 15:58:50 +01:00
Vladimir Serbinenko
3bbeade41d * grub-core/fs/proc.c: Allow \0 in proc files. 2013-11-12 15:57:09 +01:00
Vladimir Serbinenko
ba82db7a0d * grub-core/tests/xnu_uuid_test.c: Fix assert message. 2013-11-12 14:11:34 +01:00
Vladimir Serbinenko
801564c804 * grub-core/tests/xnu_uuid_test.c: Fix copyright year. 2013-11-12 14:07:34 +01:00
Vladimir Serbinenko
15decd26cc * grub-core/tests/legacy_password_test.c: New test.
* grub-core/commands/legacycfg.c: Remove variable length arrays.
2013-11-12 02:38:33 +01:00
Vladimir Serbinenko
41f26e0ebc * grub-core/tests/pbkdf2_test.c: New test. 2013-11-12 01:51:36 +01:00
Vladimir Serbinenko
a388e25576 * grub-core/tests/xnu_uuid_test.c: New test. 2013-11-12 01:18:27 +01:00
Vladimir Serbinenko
31747dd521 * grub-core/tests/gfxterm_menu.c (gfxterm_menu): Handle out-of-memory
condition.
	* tests/grub_func_test.in: Increase memory allocation.
2013-11-12 00:44:00 +01:00
Vladimir Serbinenko
d6d8e9a93e * include/grub/gui.h (grub_fixed_sfs_divide): Round rather than
truncate.
	(grub_fixed_fsf_divide): Likewise.
2013-11-08 16:17:29 +01:00
Vladimir Serbinenko
d061fda7e9 * grub-core/tests/div_test.c: New test. 2013-11-08 15:01:59 +01:00
Vladimir Serbinenko
79054c1d1e * grub-core/tests/video_checksum.c: Add 2560x1440 mode to testing. 2013-11-04 00:40:14 +01:00
Vladimir 'phcoder' Serbinenko
99519c154c * grub-core/tests/video_checksum.c (grub_video_capture_write_bmp):
Use GRUB_UTIL_FD_O_* rather than O_*.
2013-10-19 23:48:24 +02:00
Vladimir Testov
71237a6f0f * grub-core/tests/checksums.h: Regenerated due to progress bar
get_minimal_size changes.
2013-10-18 16:11:48 +04:00
Vladimir 'phcoder' Serbinenko
f4e0adc0f9 Remove leftover references to some of the system headers. 2013-10-15 17:59:54 +02:00