61b7ca08d1
This requires a very weird input from the serial interface but can cause an overflow in input_buf (keys) overwriting the next variable (npending) with the user choice: (pahole output) struct grub_terminfo_input_state { int input_buf[6]; /* 0 24 */ int npending; /* 24 4 */ <- CORRUPT ...snip... The magic string requires causing this is "ESC,O,],0,1,2,q" and we overflow npending with "q" (aka increase npending to 161). The simplest fix is to just to disallow overwrites input_buf, which exactly what this patch does. Fixes: CID 292449 Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
||
---|---|---|
.. | ||
arc | ||
arm | ||
efi | ||
i386 | ||
ieee1275 | ||
uboot | ||
xen | ||
at_keyboard.c | ||
gfxterm.c | ||
gfxterm_background.c | ||
morse.c | ||
ns8250.c | ||
ps2.c | ||
serial.c | ||
spkmodem.c | ||
terminfo.c | ||
tparm.c | ||
usb_keyboard.c |