This attempts to fix the places where we do the following where
arithmetic_expr may include unvalidated data:
X = grub_malloc(arithmetic_expr);
It accomplishes this by doing the arithmetic ahead of time using grub_add(),
grub_sub(), grub_mul() and testing for overflow before proceeding.
Among other issues, this fixes:
- allocation of integer overflow in grub_video_bitmap_create()
reported by Chris Coulson,
- allocation of integer overflow in grub_png_decode_image_header()
reported by Chris Coulson,
- allocation of integer overflow in grub_squash_read_symlink()
reported by Chris Coulson,
- allocation of integer overflow in grub_ext2_read_symlink()
reported by Chris Coulson,
- allocation of integer overflow in read_section_as_string()
reported by Chris Coulson.
Fixes: CVE-2020-14309, CVE-2020-14310, CVE-2020-14311
Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This modifies most of the places we do some form of:
X = malloc(Y * Z);
to use calloc(Y, Z) instead.
Among other issues, this fixes:
- allocation of integer overflow in grub_png_decode_image_header()
reported by Chris Coulson,
- allocation of integer overflow in luks_recover_key()
reported by Chris Coulson,
- allocation of integer overflow in grub_lvm_detect()
reported by Chris Coulson.
Fixes: CVE-2020-14308
Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
We may get more than one response before exiting out of loop in
grub_net_dns_lookup, but buffer was allocated for the first response only,
so storing answers from subsequent replies wrote past allocated size.
We never really use more than the very first address during lookup so there
is little point in collecting all of them. Just quit early if we already have
some reply.
Code needs serious redesign to actually collect multiple answers
and select the best fit according to requested type (IPv4 or IPv6).
Reported and tested by Michael Chang <mchang@suse.com>
We were resetting nb->data every time we tried a new server, but we need to do
it every time we try for a different record, otherwise we don't end up falling
back to the A record properly. Thanks,
Signed-off-by: Josef Bacik <jbacik@fb.com>
Adding multiple questions on a single DNS query is not supportted by
most DNS servers. This patch issues two separate DNS queries
sequentially for ipv4 and then for ipv6.
Fixes: https://savannah.gnu.org/bugs/?39710
* grub-core/net/bootp.c (parse_dhcp_vendor): Add DNS option.
* grub-core/net/dns.c (grub_dns_qtype_id): New enum.
* (grub_net_dns_lookup): Now using separated dns packages.
* (grub_cmd_nslookup): Add error condition.
* (grub_cmd_list_dns): Print DNS option.
* (grub_cmd_add_dns): Add four parameters: --only-ipv4,
* --only-ipv6, --prefer-ipv4, and --prefer-ipv6.
* include/grub/net.h (grub_dns_option_t): New enum.
* (grub_net_network_level_address): option added.
Also-by: Paulo Flabiano Smorigo <pfsmorigo@br.ibm.com>
Signed-off-by: Paulo Flabiano Smorigo <pfsmorigo@br.ibm.com>
* include/grub/net.h (grub_net_poll_cards): New argument stop_condition.
All users updated.
* grub-core/net/arp.c (have_pending): New var.
(pending_req): Likewise.
(grub_net_arp_send_request): Fill pending_req and use have_pending as
stop indicator.
(grub_net_arp_receive): Set have_pending.
* grub-core/net/dns.c (recv_data): New field stop.
(recv_hook): Set stop.
(grub_net_dns_lookup): Init stop and use as stop condition.
* grub-core/net/http.c (http_establish): Use headers_recv as stop
condition.
* grub-core/net/net.c (grub_net_poll_cards): New argument
stop_condition. Stop when it goes true.
* grub-core/net/tcp.c (grub_net_tcp_open): Use `established' as stop
indicator.
* grub-core/net/tftp.c (tftp_open): Use `have_oack' as stop indicator.
