Commit graph

49 commits

Author SHA1 Message Date
Peter Jones
f725fa7cb2 calloc: Use calloc() at most places
This modifies most of the places we do some form of:

  X = malloc(Y * Z);

to use calloc(Y, Z) instead.

Among other issues, this fixes:
  - allocation of integer overflow in grub_png_decode_image_header()
    reported by Chris Coulson,
  - allocation of integer overflow in luks_recover_key()
    reported by Chris Coulson,
  - allocation of integer overflow in grub_lvm_detect()
    reported by Chris Coulson.

Fixes: CVE-2020-14308

Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2020-07-29 16:55:47 +02:00
Peter Jones
d5a32255de misc: Make grub_strtol() "end" pointers have safer const qualifiers
Currently the string functions grub_strtol(), grub_strtoul(), and
grub_strtoull() don't declare the "end" pointer in such a way as to
require the pointer itself or the character array to be immutable to the
implementation, nor does the C standard do so in its similar functions,
though it does require us not to change any of it.

The typical declarations of these functions follow this pattern:

long
strtol(const char * restrict nptr, char ** restrict endptr, int base);

Much of the reason for this is historic, and a discussion of that
follows below, after the explanation of this change.  (GRUB currently
does not include the "restrict" qualifiers, and we name the arguments a
bit differently.)

The implementation is semantically required to treat the character array
as immutable, but such accidental modifications aren't stopped by the
compiler, and the semantics for both the callers and the implementation
of these functions are sometimes also helped by adding that requirement.

This patch changes these declarations to follow this pattern instead:

long
strtol(const char * restrict nptr,
       const char ** const restrict endptr,
       int base);

This means that if any modification to these functions accidentally
introduces either an errant modification to the underlying character
array, or an accidental assignment to endptr rather than *endptr, the
compiler should generate an error.  (The two uses of "restrict" in this
case basically mean strtol() isn't allowed to modify the character array
by going through *endptr, and endptr isn't allowed to point inside the
array.)

It also means the typical use case changes to:

  char *s = ...;
  const char *end;
  long l;

  l = strtol(s, &end, 10);

Or even:

  const char *p = str;
  while (p && *p) {
	  long l = strtol(p, &p, 10);
	  ...
  }

This fixes 26 places where we discard our attempts at treating the data
safely by doing:

  const char *p = str;
  long l;

  l = strtol(p, (char **)&ptr, 10);

It also adds 5 places where we do:

  char *p = str;
  while (p && *p) {
	  long l = strtol(p, (const char ** const)&p, 10);
	  ...
	  /* more calls that need p not to be pointer-to-const */
  }

While moderately distasteful, this is a better problem to have.

With one minor exception, I have tested that all of this compiles
without relevant warnings or errors, and that /much/ of it behaves
correctly, with gcc 9 using 'gcc -W -Wall -Wextra'.  The one exception
is the changes in grub-core/osdep/aros/hostdisk.c , which I have no idea
how to build.

Because the C standard defined type-qualifiers in a way that can be
confusing, in the past there's been a slow but fairly regular stream of
churn within our patches, which add and remove the const qualifier in many
of the users of these functions.  This change should help avoid that in
the future, and in order to help ensure this, I've added an explanation
in misc.h so that when someone does get a compiler warning about a type
error, they have the fix at hand.

The reason we don't have "const" in these calls in the standard is
purely anachronistic: C78 (de facto) did not have type qualifiers in the
syntax, and the "const" type qualifier was added for C89 (I think; it
may have been later).  strtol() appears to date from 4.3BSD in 1986,
which means it could not be added to those functions in the standard
without breaking compatibility, which is usually avoided.

The syntax chosen for type qualifiers is what has led to the churn
regarding usage of const, and is especially confusing on string
functions due to the lack of a string type.  Quoting from C99, the
syntax is:

 declarator:
  pointer[opt] direct-declarator
 direct-declarator:
  identifier
  ( declarator )
  direct-declarator [ type-qualifier-list[opt] assignment-expression[opt] ]
  ...
  direct-declarator [ type-qualifier-list[opt] * ]
  ...
 pointer:
  * type-qualifier-list[opt]
  * type-qualifier-list[opt] pointer
 type-qualifier-list:
  type-qualifier
  type-qualifier-list type-qualifier
 ...
 type-qualifier:
  const
  restrict
  volatile

So the examples go like:

const char foo;			// immutable object
const char *foo;		// mutable pointer to object
char * const foo;		// immutable pointer to mutable object
const char * const foo;		// immutable pointer to immutable object
const char const * const foo; 	// XXX extra const keyword in the middle
const char * const * const foo; // immutable pointer to immutable
				//   pointer to immutable object
const char ** const foo;	// immutable pointer to mutable pointer
				//   to immutable object

Making const left-associative for * and right-associative for everything
else may not have been the best choice ever, but here we are, and the
inevitable result is people using trying to use const (as they should!),
putting it at the wrong place, fighting with the compiler for a bit, and
then either removing it or typecasting something in a bad way.  I won't
go into describing restrict, but its syntax has exactly the same issue
as with const.

Anyway, the last example above actually represents the *behavior* that's
required of strtol()-like functions, so that's our choice for the "end"
pointer.

Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2020-02-28 12:41:29 +01:00
Matthew Garrett
d3a5e812c5 verifiers: Verify commands executed by grub
Pass all commands executed by GRUB to the verifiers layer. Most verifiers will
ignore this, but some (such as the TPM verifier) want to be able to measure and
log each command executed in order to ensure that the boot state is as expected.

Signed-off-by: Matthew Garrett <mjg59@google.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2018-12-12 13:17:52 +01:00
Andrei Borzenkov
b95e926788 script: fix memory leak
Found by: Coverity scan.
CID: 96637
2016-01-12 22:50:30 +03:00
Andrei Borzenkov
9883307a52 script/execute.c: fix memory leak.
Make sure to continue loop over array after failure to free
allocated strings.

Found by: Coverity scan.
2015-01-28 20:35:28 +03:00
Andrey Borzenkov
593e430cd6 * grub-core/script/execute.c (grub_script_execute_sourcecode): Split
off new function grub_script_execute_new_scope. Change callers to use
	either of them as appropriate.
	* grub-core/commands/eval.c: New command eval.
	* docs/grub.texi (Commands): Document it.
2013-06-07 18:36:42 +02:00
Vladimir 'phcoder' Serbinenko
bdc4add8ca * grub-core/script/execute.c (grub_script_arglist_to_argv): Fix
handling of variables containing backslash.
2013-04-29 12:02:26 +02:00
Vladimir 'phcoder' Serbinenko
73b5d90fe2 * grub-core/script/execute.c (grub_script_arglist_to_argv): Move
append out of its parent.
2013-03-03 15:26:29 +01:00
Vladimir 'phcoder' Serbinenko
396d4091e7 * grub-core/script/execute.c (gettext_append): Remove nested functions. 2013-03-02 12:17:52 +01:00
Colin Watson
09fd6d8293 Remove nested functions from script reading and parsing.
* grub-core/kern/parser.c (grub_parser_split_cmdline): Add
getline_data argument, passed to getline.
* grub-core/kern/rescue_parser.c (grub_rescue_parse_line): Add
getline_data argument, passed to grub_parser_split_cmdline.
* grub-core/script/lexer.c (grub_script_lexer_yywrap): Pass
lexerstate->getline_data to lexerstate->getline.
(grub_script_lexer_init): Add getline_data argument, saved in
lexerstate->getline_data.
* grub-core/script/main.c (grub_normal_parse_line): Add getline_data
argument, passed to grub_script_parse.
* grub-core/script/script.c (grub_script_parse): Add getline_data
argument, passed to grub_script_lexer_init.
* include/grub/parser.h (grub_parser_split_cmdline): Update
prototype.  Update all callers to pass appropriate getline data.
(struct grub_parser.parse_line): Likewise.
(grub_rescue_parse_line): Likewise.
* include/grub/reader.h (grub_reader_getline_t): Add void *
argument.
* include/grub/script_sh.h (struct grub_lexer_param): Add
getline_data member.
(grub_script_parse): Update prototype.  Update all callers to pass
appropriate getline data.
(grub_script_lexer_init): Likewise.
(grub_normal_parse_line): Likewise.

* grub-core/commands/legacycfg.c (legacy_file_getline): Add unused
data argument.
* grub-core/kern/parser.c (grub_parser_execute: getline): Make
static instead of nested.  Rename to ...
(grub_parser_execute_getline): ... this.
* grub-core/kern/rescue_reader.c (grub_rescue_read_line): Add unused
data argument.
* grub-core/normal/main.c (read_config_file: getline): Make static
instead of nested.  Rename to ...
(read_config_file_getline): ... this.
(grub_normal_read_line): Add unused data argument.
* grub-core/script/execute.c (grub_script_execute_sourcecode:
getline): Make static instead of nested.  Rename to ...
(grub_script_execute_sourcecode_getline): ... this.
* util/grub-script-check.c (main: get_config_line): Make static
instead of nested.
2013-01-15 12:03:25 +00:00
Vladimir 'phcoder' Serbinenko
cde393c9a3 * grub-core/script/execute.c (grub_script_arglist_to_argv): Escape
blocks.
2012-06-21 22:02:09 +02:00
Vladimir 'phcoder' Serbinenko
485568790c Fix wildcard regexp dot and other special characters handling.
Reported by: Robert Mabee.

	* grub-core/commands/wildcard.c (isregexop): Add "|+{}[]?".
	(make_regex): Escape "|+{}[]". Transform '?' to '.?'.
	(split_path): Trigger expansion on '?'.
	(unescape): New function.
	(wildcard_expand): Unescape parts copied without globbing.
	* grub-core/script/execute.c (wildcard_escape): Escape '?'.
	(grub_script_arglist_to_argv): Don't unescape expansions.
2012-06-19 14:13:19 +02:00
Vladimir 'phcoder' Serbinenko
5e619f408d Fix wildcard escaping.
* grub-core/commands/wildcard.c (wildcard_escape): Moved from here ...
	* grub-core/script/execute.c (wildcard_escape): .. to here.
	Don't escape dot.
	* grub-core/commands/wildcard.c (wildcard_unescape): Moved from here ...
	* grub-core/script/execute.c (wildcard_unescape): .. to here.
	Don't escape dot.
	* grub-core/script/execute.c (gettext_append): Always escape.
	(grub_script_arglist_to_argv): Always handle escaping/unescaping.
	* grub-core/script/yylex.l: Don't cut away the escaping.
	* tests/grub_script_echo1.in: Add tests with wildcard.
2012-06-08 22:54:21 +02:00
Vladimir 'phcoder' Serbinenko
0ae4f0bddb * grub-core/commands/i386/pc/play.c: Improve TRANSLATORS comments.
* grub-core/commands/regexp.c: Likewise.
	* grub-core/loader/i386/linux.c: Likewise.
	* grub-core/partmap/msdos.c: Likewise.
	* grub-core/script/execute.c: Likewise.
	* grub-core/term/gfxterm.c: Likewise.
2012-03-11 23:36:35 +01:00
Vladimir 'phcoder' Serbinenko
546fbe9b5a Add variable parsing in $"..." and fix several mismatches with bash.
* Makefile.util.def (grub_script_gettext): New test.
	* grub-core/script/execute.c (parse_string): New function.
	(gettext_append): Likewise.
	(grub_script_arglist_to_argv): Use gettext_append.
	* grub-core/script/yylex.l: Fix slash and newline handling in $"...".
	* tests/grub_script_gettext.in: New file.
2012-03-11 14:46:48 +01:00
Vladimir 'phcoder' Serbinenko
e8e0566b0c * grub-core/commands/videoinfo.c: Add TRANSLATORS comments.
* grub-core/commands/xnu_uuid.c: Likewise.
	* grub-core/loader/efi/appleloader.c: Likewise.
	* grub-core/script/execute.c: Likewise.
	* grub-core/script/main.c: Likewise.
	* util/grub-mkfont.c: Likewise.
2012-03-10 13:19:46 +01:00
Vladimir 'phcoder' Serbinenko
ef292a8775 * grub-core/net/http.c: Add TRANSLATORS comments.
* grub-core/normal/cmdline.c: Likewise.
	* grub-core/normal/misc.c: Likewise.
	* grub-core/partmap/msdos.c: Likewise.
	* grub-core/parttool/msdospart.c: Likewise.
	* grub-core/script/execute.c: Likewise.
	* grub-core/script/main.c: Likewise.
	* grub-core/term/terminfo.c: Likewise.
	* grub-core/video/bitmap.c: Likewise.
	* util/grub-install.in: Likewise.
	* util/grub-mkimage.c: Likewise.
	* util/grub-mklayout.c: Likewise.
	* util/grub-setup.c: Likewise.
2012-03-05 16:42:26 +01:00
Vladimir 'phcoder' Serbinenko
0d31b7df86 * grub-core/script/execute.c (grub_script_return): Replace ambiguous
"scope" with "body".
2012-03-04 12:14:33 +01:00
Vladimir 'phcoder' Serbinenko
7e8fac16ad $"..." support in scripts.
* grub-core/script/execute.c (grub_script_arglist_to_argv): Handle
	GRUB_SCRIPT_ARG_TYPE_GETTEXT.
	* grub-core/script/yylex.l: Likewise.
	* include/grub/script_sh.h (GRUB_SCRIPT_ARG_TYPE_GETTEXT): New enum
	value.
2012-02-26 19:02:46 +01:00
Vladimir 'phcoder' Serbinenko
67093bc0ed Another round of string clarification and adding TRANSLATORS comments. 2012-02-26 17:28:05 +01:00
Vladimir 'phcoder' Serbinenko
d9a62292e3 * grub-core/script/execute.c (grub_script_break): Clarify logic.
Better error handling.
	(grub_script_return): Likewise.
	* grub-core/script/lexer.c (grub_script_lexer_yywrap): Likewise.
2012-02-12 21:33:48 +01:00
Vladimir 'phcoder' Serbinenko
d61386e21d Improve string. Gettextize. 2012-02-12 15:25:25 +01:00
Vladimir 'phcoder' Serbinenko
1e5ec32f2d * grub-core/script/execute.c (grub_script_return): Fix warning. 2012-02-04 12:21:21 +01:00
Vladimir 'phcoder' Serbinenko
ac576cde1d * grub-core/script/execute.c (grub_script_return): Fix potential
NULL-dereference.
	Reported by: Jim Meyering.
2012-02-04 11:52:10 +01:00
Vladimir 'phcoder' Serbinenko
9c2710789f Eliminate grub_min/grub_max prone to overflow usage.
* grub-core/bus/usb/usbhub.c (grub_usb_add_hub): Eliminate grub_min.
	(poll_nonroot_hub): Likewise.
	* grub-core/fs/affs.c (grub_affs_iterate_dir): Likewise.
	(grub_affs_label): Likewise.
	* grub-core/fs/btrfs.c (grub_btrfs_lzo_decompress): Likewise.
	* grub-core/fs/hfs.c (grub_hfs_dir): Likewise.
	(grub_hfs_label): Likewise.
	* grub-core/fs/hfsplus.c (grub_hfsplus_cmp_catkey): Likewise.
	* grub-core/fs/zfs/zfs.c (MIN): Remove.
	(zap_leaf_array_equal): Use grub_size. Remove MIN.
	(zap_leaf_array_get): Likewise.
	(dnode_get_path): Likewise.
	* grub-core/io/lzopio.c (grub_lzopio_read): Eliminate grub_min.
	* grub-core/io/xzio.c (grub_xzio_read): Likewise.
	* grub-core/script/execute.c (grub_script_break): Likewise.
	* grub-core/script/lexer.c (grub_script_lexer_record): Eliminate
	grub_max.
	* grub-core/script/yylex.l (grub_lexer_yyrealloc): Likewise.
	* include/grub/misc.h (grub_min): Removed.
	(grub_max): Likewise.
2012-01-14 15:44:34 +01:00
Vladimir 'phcoder' Serbinenko
d35d0d3753 Add const keyword to grub_env_get and gettextize week days.
* grub-core/hook/datehook.c (grub_datetime_names): Make const.
	(grub_read_hook_datetime): Return const char *.
	* grub-core/kern/env.c (grub_env_get): Return const char *. All users
	updated.
	* grub-core/normal/datetime.c (grub_weekday_names): Make const.
	Mark for gettext.
	(grub_get_weekday_name): Return const char *. Call gettext.
	* grub-core/script/argv.c (grub_script_argv_append): Receive const
	char * and len as the argument. All users updated.
	(grub_script_argv_split_append): Receive const char *.
	* include/grub/datetime.h (grub_get_weekday_name): Update proto.
	* include/grub/env.h (grub_env_get): Likewise.
	(grub_env_read_hook_t): Return const char *.
	* include/grub/script_sh.h (grub_script_argv_append): Update proto.
	(grub_script_argv_split_append): Likewise.
2011-11-11 20:34:37 +01:00
BVK Chaitanya
a8152fedab suppress shell expansion inside quoted strings 2010-11-07 16:13:14 +05:30
Vladimir 'phcoder' Serbinenko
74ccb5b5e2 * grub-core/script/execute.c (grub_script_execute_sourcecode): Set
flags.
2010-09-30 20:59:20 +02:00
Vladimir 'phcoder' Serbinenko
a38b701cbf Rename jail to extractor 2010-09-20 23:01:34 +02:00
Vladimir 'phcoder' Serbinenko
7756d44436 Basic menuentry-retrieveing jail 2010-09-16 23:48:32 +02:00
bvk.groups@gmail.com
058e30ac09 Not command (!) support to GRUB script.
* tests/grub_script_not.in: New test.
	* Makefile.util.def: Rules for new test.

	* grub-core/script/execute.c (grub_script_execute_cmdline): Handle
	! command as a special case.
	* grub-core/script/yylex.l (GRUB_PARSER_TOKEN_NOT): Removed.
2010-09-08 09:21:02 +05:30
bvk.groups@gmail.com
a0b5f6bcb1 update grub_errno as per the return value 2010-09-07 21:46:04 +05:30
BVK Chaitanya
1bce65c7b1 not command (!) support 2010-09-05 14:57:28 +05:30
BVK Chaitanya
ee14ec9935 merge with mainline 2010-09-04 22:34:32 +05:30
BVK Chaitanya
ed8c6dec96 Support for options to appear multiple times on cmdline.
* include/grub/lib/arg.h (grub_arg_list_alloc): New prototype.
	* grub-core/commands/extcmd.c: Support for repeatable option.
	* grub-core/lib/arg.c (grub_arg_list_alloc): New function for
	repeatable option support.

	Refactor menuentry into a regular command.

	* grub-core/commands/menuentry.c: New file, menuentry command
	implementation.
	* grub-core/Makefile.core.def: Rule update for normal.mod.
	* grub-core/normal/main.c: Moved menuentry creation to
	grub-core/commands/menuentry.c.
	* grub-core/normal/menu.c (grub_menu_execute_entry): Removed.
	(grub_menu_execute_entry_real): Removed.
	* grub-core/script/execute.c (grub_script_execute_sourcecode): New
	function.
	(grub_script_execute_menuentry): Removed.
	* grub-core/script/parser.y (menuentry): Removed.
	* grub-core/script/script.c (grub_script_create_cmdmenu): Removed.
	* grub-core/script/yylex.l (menuentry): Removed.
	* include/grub/menu.h (grub_menu_init): New prototype.
	(grub_menu_fini): New prototype.
	* include/grub/normal.h (grub_normal_add_menu_entry): Removed.
	* include/grub/script_sh.h (grub_script_cmd_menuentry): Removed.
	(grub_script_execute_sourcecode): New prototype.
2010-09-04 21:43:54 +05:30
BVK Chaitanya
9fcd1ee541 merge with mainline 2010-09-04 21:02:48 +05:30
BVK Chaitanya
165bfce138 merge with mainline 2010-09-04 20:44:44 +05:30
BVK Chaitanya
cd652829a1 merge with mainline 2010-09-04 14:41:08 +05:30
BVK Chaitanya
49649ac85d review comments 2010-09-04 14:32:59 +05:30
BVK Chaitanya
6d7c073bc8 merge with mainline 2010-09-04 11:49:02 +05:30
BVK Chaitanya
227cab7c79 merge with mainline 2010-09-04 10:56:23 +05:30
BVK Chaitanya
cc7b1ab4d6 review comments 2010-09-03 20:35:23 +05:30
BVK Chaitanya
8fdefb9253 merge with mainline 2010-08-26 12:11:57 +05:30
BVK Chaitanya
47b4c2c3e8 pull-in block-arg branch 2010-08-26 11:32:35 +05:30
BVK Chaitanya
928bad4708 merge with mainline 2010-08-26 09:30:11 +05:30
BVK Chaitanya
aa5cd41af5 return command for functions 2010-08-25 19:35:52 +05:30
BVK Chaitanya
a9b85993ee merge with mainline 2010-08-25 14:45:56 +05:30
BVK Chaitanya
16c7cb32c8 merge with mainline 2010-08-19 16:54:00 +05:30
BVK Chaitanya
8c41176882 automake commit without merge history 2010-05-06 11:34:04 +05:30
Renamed from script/execute.c (Browse further)