3f05d693d1
This attempts to fix the places where we do the following where arithmetic_expr may include unvalidated data: X = grub_malloc(arithmetic_expr); It accomplishes this by doing the arithmetic ahead of time using grub_add(), grub_sub(), grub_mul() and testing for overflow before proceeding. Among other issues, this fixes: - allocation of integer overflow in grub_video_bitmap_create() reported by Chris Coulson, - allocation of integer overflow in grub_png_decode_image_header() reported by Chris Coulson, - allocation of integer overflow in grub_squash_read_symlink() reported by Chris Coulson, - allocation of integer overflow in grub_ext2_read_symlink() reported by Chris Coulson, - allocation of integer overflow in read_section_as_string() reported by Chris Coulson. Fixes: CVE-2020-14309, CVE-2020-14310, CVE-2020-14311 Signed-off-by: Peter Jones <pjones@redhat.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
||
---|---|---|
.. | ||
arm | ||
arm64 | ||
efi | ||
i386 | ||
ia64/efi | ||
mips | ||
powerpc/ieee1275 | ||
riscv | ||
sparc64/ieee1275 | ||
aout.c | ||
linux.c | ||
lzss.c | ||
macho.c | ||
macho32.c | ||
macho64.c | ||
machoXX.c | ||
multiboot.c | ||
multiboot_elfxx.c | ||
multiboot_mbi2.c | ||
xnu.c | ||
xnu_resume.c |