dcavalca / rpms / grub2

Forked from rpms/grub2 3 years ago
Clone

Blame SOURCES/0331-efilinux-Fix-integer-overflows-in-grub_cmd_initrd.patch

b1bcb2
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
c4e390
From: Colin Watson <cjwatson@debian.org>
c4e390
Date: Fri, 24 Jul 2020 17:18:09 +0100
b1bcb2
Subject: [PATCH] efilinux: Fix integer overflows in grub_cmd_initrd
c4e390
c4e390
These could be triggered by an extremely large number of arguments to
c4e390
the initrd command on 32-bit architectures, or a crafted filesystem with
c4e390
very large files on any architecture.
c4e390
c4e390
Signed-off-by: Colin Watson <cjwatson@debian.org>
c4e390
---
c4e390
 grub-core/loader/i386/efi/linux.c | 9 +++++++--
c4e390
 1 file changed, 7 insertions(+), 2 deletions(-)
c4e390
c4e390
diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
c4e390
index 7166ec17f8f..95dbb9e20af 100644
c4e390
--- a/grub-core/loader/i386/efi/linux.c
c4e390
+++ b/grub-core/loader/i386/efi/linux.c
c4e390
@@ -27,6 +27,7 @@
c4e390
 #include <grub/lib/cmdline.h>
c4e390
 #include <grub/efi/efi.h>
c4e390
 #include <grub/efi/linux.h>
c4e390
+#include <grub/safemath.h>
c4e390
 
c4e390
 GRUB_MOD_LICENSE ("GPLv3+");
c4e390
 
c4e390
@@ -93,7 +94,7 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),
c4e390
       goto fail;
c4e390
     }
c4e390
 
c4e390
-  files = grub_zalloc (argc * sizeof (files[0]));
c4e390
+  files = grub_calloc (argc, sizeof (files[0]));
c4e390
   if (!files)
c4e390
     goto fail;
c4e390
 
c4e390
@@ -104,7 +105,11 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),
c4e390
       if (! files[i])
c4e390
         goto fail;
c4e390
       nfiles++;
c4e390
-      size += ALIGN_UP (grub_file_size (files[i]), 4);
c4e390
+      if (grub_add (size, ALIGN_UP (grub_file_size (files[i]), 4), &size))
c4e390
+	{
c4e390
+	  grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
c4e390
+	  goto fail;
c4e390
+	}
c4e390
     }
c4e390
 
c4e390
   initrd_mem = grub_efi_allocate_pages_max (0x3fffffff, BYTES_TO_PAGES(size));