packages/grub2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
grub2/backport-0016-net-Fix-OOB-write-in-grub_net_search_config_file.patch
Qiumiao Zhang 2087a1b402 fix the vulnerabilities announced on February 18th, 2025 
Signed-off-by: Qiumiao Zhang <zhangqiumiao1@huawei.com>
2025-02-24 12:44:01 +00:00

85 lines
2.8 KiB
Diff
Raw Blame History

From f21928173f423e66b0fcea9f34e87938d9aa2b0e Mon Sep 17 00:00:00 2001
From: B Horn <b@horn.uk>
Date: Fri, 15 Nov 2024 13:12:09 +0000
Subject: [PATCH 16/30] net: Fix OOB write in grub_net_search_config_file()
The function included a call to grub_strcpy() which copied data from an
environment variable to a buffer allocated in grub_cmd_normal(). The
grub_cmd_normal() didn't consider the length of the environment variable.
So, the copy operation could exceed the allocation and lead to an OOB
write. Fix the issue by replacing grub_strcpy() with grub_strlcpy() and
pass the underlying buffers size to the grub_net_search_config_file().
Fixes: CVE-2025-0624
Reported-by: B Horn <b@horn.uk>
Signed-off-by: B Horn <b@horn.uk>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/net/net.c | 7 ++++---
grub-core/normal/main.c | 2 +-
include/grub/net.h | 2 +-
3 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/grub-core/net/net.c b/grub-core/net/net.c
index d19583e..b8c113f 100644
--- a/grub-core/net/net.c
+++ b/grub-core/net/net.c
@@ -1906,9 +1906,9 @@ grub_net_restore_hw (void)
}
grub_err_t
-grub_net_search_configfile (char *config)
+grub_net_search_configfile (char *config, grub_size_t config_buf_len)
{
- grub_size_t config_len;
+ grub_size_t config_len, suffix_len;
char *suffix;
auto int search_through (grub_size_t num_tries, grub_size_t slice_size);
@@ -1945,6 +1945,7 @@ grub_net_search_configfile (char *config)
config_len = grub_strlen (config);
config[config_len] = '-';
suffix = config + config_len + 1;
+ suffix_len = config_buf_len - (config_len + 1);
struct grub_net_network_level_interface *inf;
FOR_NET_NETWORK_LEVEL_INTERFACES (inf)
@@ -1970,7 +1971,7 @@ grub_net_search_configfile (char *config)
if (client_uuid)
{
- grub_strcpy (suffix, client_uuid);
+ grub_strlcpy (suffix, client_uuid, suffix_len);
if (search_through (1, 0) == 0) return GRUB_ERR_NONE;
}
diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
index 6d706db..b6198bd 100644
--- a/grub-core/normal/main.c
+++ b/grub-core/normal/main.c
@@ -359,7 +359,7 @@ grub_try_normal (const char *variable)
return GRUB_ERR_FILE_NOT_FOUND;
grub_snprintf (config, config_len, "%s/grub.cfg", prefix);
- err = grub_net_search_configfile (config);
+ err = grub_net_search_configfile (config, config_len);
}
if (err != GRUB_ERR_NONE)
diff --git a/include/grub/net.h b/include/grub/net.h
index 5a01747..388b301 100644
--- a/include/grub/net.h
+++ b/include/grub/net.h
@@ -666,6 +666,6 @@ extern char *grub_net_default_server;
#define VLANTAG_IDENTIFIER 0x8100
grub_err_t
-grub_net_search_configfile (char *config);
+grub_net_search_configfile (char *config, grub_size_t config_buf_len);
#endif /* ! GRUB_NET_HEADER */
--
2.33.0
Reference in New Issue View Git Blame Copy Permalink