grub/grub-core/script/argv.c
Peter Jones 3f05d693d1 malloc: Use overflow checking primitives where we do complex allocations
This attempts to fix the places where we do the following where
arithmetic_expr may include unvalidated data:

  X = grub_malloc(arithmetic_expr);

It accomplishes this by doing the arithmetic ahead of time using grub_add(),
grub_sub(), grub_mul() and testing for overflow before proceeding.

Among other issues, this fixes:
  - allocation of integer overflow in grub_video_bitmap_create()
    reported by Chris Coulson,
  - allocation of integer overflow in grub_png_decode_image_header()
    reported by Chris Coulson,
  - allocation of integer overflow in grub_squash_read_symlink()
    reported by Chris Coulson,
  - allocation of integer overflow in grub_ext2_read_symlink()
    reported by Chris Coulson,
  - allocation of integer overflow in read_section_as_string()
    reported by Chris Coulson.

Fixes: CVE-2020-14309, CVE-2020-14310, CVE-2020-14311

Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2020-07-29 16:55:47 +02:00

165 lines
3.3 KiB
C

/* argv.c - methods for constructing argument vector */
/*
* GRUB -- GRand Unified Bootloader
* Copyright (C) 2010 Free Software Foundation, Inc.
*
* GRUB is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* GRUB is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with GRUB. If not, see <http://www.gnu.org/licenses/>.
*/
#include <grub/mm.h>
#include <grub/misc.h>
#include <grub/script_sh.h>
#include <grub/safemath.h>
/* Return nearest power of two that is >= v. */
static unsigned
round_up_exp (unsigned v)
{
COMPILE_TIME_ASSERT (sizeof (v) == 4);
v--;
v |= v >> 1;
v |= v >> 2;
v |= v >> 4;
v |= v >> 8;
v |= v >> 16;
v++;
v += (v == 0);
return v;
}
void
grub_script_argv_free (struct grub_script_argv *argv)
{
unsigned i;
if (argv->args)
{
for (i = 0; i < argv->argc; i++)
grub_free (argv->args[i]);
grub_free (argv->args);
}
argv->argc = 0;
argv->args = 0;
argv->script = 0;
}
/* Make argv from argc, args pair. */
int
grub_script_argv_make (struct grub_script_argv *argv, int argc, char **args)
{
int i;
struct grub_script_argv r = { 0, 0, 0 };
for (i = 0; i < argc; i++)
if (grub_script_argv_next (&r)
|| grub_script_argv_append (&r, args[i], grub_strlen (args[i])))
{
grub_script_argv_free (&r);
return 1;
}
*argv = r;
return 0;
}
/* Prepare for next argc. */
int
grub_script_argv_next (struct grub_script_argv *argv)
{
char **p = argv->args;
grub_size_t sz;
if (argv->args && argv->argc && argv->args[argv->argc - 1] == 0)
return 0;
if (grub_add (argv->argc, 2, &sz) ||
grub_mul (sz, sizeof (char *), &sz))
return 1;
p = grub_realloc (p, round_up_exp (sz));
if (! p)
return 1;
argv->argc++;
argv->args = p;
if (argv->argc == 1)
argv->args[0] = 0;
argv->args[argv->argc] = 0;
return 0;
}
/* Append `s' to the last argument. */
int
grub_script_argv_append (struct grub_script_argv *argv, const char *s,
grub_size_t slen)
{
grub_size_t a;
char *p = argv->args[argv->argc - 1];
grub_size_t sz;
if (! s)
return 0;
a = p ? grub_strlen (p) : 0;
if (grub_add (a, slen, &sz) ||
grub_add (sz, 1, &sz) ||
grub_mul (sz, sizeof (char), &sz))
return 1;
p = grub_realloc (p, round_up_exp (sz));
if (! p)
return 1;
grub_memcpy (p + a, s, slen);
p[a+slen] = 0;
argv->args[argv->argc - 1] = p;
return 0;
}
/* Split `s' and append words as multiple arguments. */
int
grub_script_argv_split_append (struct grub_script_argv *argv, const char *s)
{
const char *p;
int errors = 0;
if (! s)
return 0;
while (*s && grub_isspace (*s))
s++;
while (! errors && *s)
{
p = s;
while (*s && ! grub_isspace (*s))
s++;
errors += grub_script_argv_append (argv, p, s - p);
while (*s && grub_isspace (*s))
s++;
if (*s)
errors += grub_script_argv_next (argv);
}
return errors;
}