This attempts to fix the places where we do the following where
arithmetic_expr may include unvalidated data:
X = grub_malloc(arithmetic_expr);
It accomplishes this by doing the arithmetic ahead of time using grub_add(),
grub_sub(), grub_mul() and testing for overflow before proceeding.
Among other issues, this fixes:
- allocation of integer overflow in grub_video_bitmap_create()
reported by Chris Coulson,
- allocation of integer overflow in grub_png_decode_image_header()
reported by Chris Coulson,
- allocation of integer overflow in grub_squash_read_symlink()
reported by Chris Coulson,
- allocation of integer overflow in grub_ext2_read_symlink()
reported by Chris Coulson,
- allocation of integer overflow in read_section_as_string()
reported by Chris Coulson.
Fixes: CVE-2020-14309, CVE-2020-14310, CVE-2020-14311
Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This modifies most of the places we do some form of:
X = malloc(Y * Z);
to use calloc(Y, Z) instead.
Among other issues, this fixes:
- allocation of integer overflow in grub_png_decode_image_header()
reported by Chris Coulson,
- allocation of integer overflow in luks_recover_key()
reported by Chris Coulson,
- allocation of integer overflow in grub_lvm_detect()
reported by Chris Coulson.
Fixes: CVE-2020-14308
Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Historically this variable hold previous value of filename that
had to be freed if allocated previously. Currently this branch
is entered only if filename was not allocated previously so it
became redundant. It did not cause real problems because grub_free
was not called, but code is confusing and causes compilation error
in some cases.
memory corruption.
* grub-core/fs/iso9660.c (grub_fshelp_node): New field have_symlink.
Make symlink into an array.
(set_rockridge): Set have_symlink and alloc_dirents.
(grub_iso9660_read_symlink): Use new layout.
(grub_iso9660_iterate_dir): Fix memory corruption.
Use new layout.
(grub_iso9660_dir): Set have_symlink.
(grub_iso9660_open): Likewise.
* grub-core/fs/iso9660.c (grub_iso9660_mount): Move rockridge detection
to ...
(set_rockridge): ... here.
(grub_iso9660_mount): Check rockridge on the primary label when
discovering. Ignore Joliet if Rockridge is present.
* grub-core/fs/iso9660.c (grub_fshelp_node): Remove dir_off. Add symlink
All users updated.
(grub_iso9660_susp_iterate): Accept zero-size iterate.
(grub_iso9660_read_symlink): Moved most of code ...
(grub_iso9660_iterate_dir): ... here. Fill node->symlink.
* grub-core/fs/iso9660.c (grub_iso9660_data): Remove first_sector.
Add node.
(grub_fshelp_node): Revamp. All users updated.
(FLAG_*): New enum.
(read_node): New function.
(grub_iso9660_susp_iterate): Use read_node. Receive a node as argument.
All users updated.
(grub_iso9660_mount): Don't attempt to read sua when there is none.
(get_node_size): New function.
(grub_iso9660_iterate_dir): Use read_node. Agglomerate multi-extent
entries.
Fix memory leak on . and ..
(grub_iso9660_read): Use read_node.
(grub_iso9660_close): Free node.
* grub-core/fs/affs.c (grub_affs_time): New struct.
(grub_affs_file): New field mtime.
(grub_fshelp_node): Changed 'block' and 'parent' to more appropriate
type. Removed 'size'. New field 'di'. All users updated.
(grub_affs_mount): Simplify checsum checking.
(grub_affs_iterate_dir): New helper grub_affs_create_node.
(grub_affs_dir): Handle mtime.
* grub-core/fs/cpio.c (grub_cpio_find_file): Handle mtime.
(grub_cpio_dir): Likewise.
* grub-core/fs/hfs.c (grub_hfs_dirrec): New fields 'ctime' and 'mtime'.
(grub_hfs_filerec): New field mtime.
(grub_hfs_dir): Handle mtime.
(grub_hfs_mtime): New function.
(grub_hfs_fs): Register grub_hfs_mtime.
* grub-core/fs/iso9660.c (grub_iso9660_date2): New struct.
(grub_iso9660_dir): New field mtime.
(grub_fshelp_node): New field dirent.
(iso9660_to_unixtime): New function.
(iso9660_to_unixtime2): Likewise.
(grub_iso9660_read_symlink): Use node->dirent.
(grub_iso9660_iterate_dir): Likewise.
(grub_iso9660_dir): Set mtime.
(grub_iso9660_mtime): New function.
(grub_iso9660_fs): Register grub_iso9660_mtime.
* grub-core/fs/jfs.c (grub_jfs_time): New struct.
(grub_jfs_inode): New fields atime, ctime and mtime.
(grub_jfs_dir): Set mtime.
* grub-core/fs/minix.c (grub_minix_dir): Likewise.
* grub-core/fs/ntfs.c (list_file): Set mtime.
(grub_ntfs_dir): Likewise.
* grub-core/fs/reiserfs.c (grub_fshelp_node): New field 'mtime'.
(grub_reiserfs_iterate_dir): Set mtime.
(grub_reiserfs_dir): Likewise.
* grub-core/fs/sfs.c (grub_sfs_obj): New field mtime.
(grub_fshelp_node): Likewise.
(grub_sfs_iterate_dir): Set mtime.
(grub_sfs_dir): Likewise.
* grub-core/fs/udf.c (grub_udf_dir): Set mtime.
* grub-core/fs/xfs.c (grub_xfs_time): New struct.
(grub_xfs_inode): New fields atime, mtime, ctime.
(grub_xfs_dir): Set mtime.
* include/grub/datetime.h (grub_datetime2unixtime): New function.
* include/grub/hfs.h (grub_hfs_sblock): New fields ctime and mtime.
* include/grub/ntfs.h (grub_fshelp_node): New field mtime.
Support UDF symlinks.
* grub-core/fs/udf.c (grub_udf_iterate_dir): Handle symlinks.
(grub_ufs_read_symlink): New function. All users updated.
Check amiga partmap checksum.
* grub-core/partmap/amiga.c (grub_amiga_rdsk): Pad to 128 bytes.
(grub_amiga_partition): Likewise.
(amiga_partition_map_checksum): New function.
(amiga_partition_map_iterate): Check checksum.
