Blame SOURCES/0295-relocator-Protect-grub_relocator_alloc_chunk_addr-in.patch

5975ab
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
a4d572
From: Alexey Makhalov <amakhalov@vmware.com>
a4d572
Date: Wed, 15 Jul 2020 06:42:37 +0000
5975ab
Subject: [PATCH] relocator: Protect grub_relocator_alloc_chunk_addr() input
5975ab
 args against integer underflow/overflow
a4d572
a4d572
Use arithmetic macros from safemath.h to accomplish it. In this commit,
a4d572
I didn't want to be too paranoid to check every possible math equation
a4d572
for overflow/underflow. Only obvious places (with non zero chance of
a4d572
overflow/underflow) were refactored.
a4d572
a4d572
Signed-off-by: Alexey Makhalov <amakhalov@vmware.com>
a4d572
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
a4d572
Upstream-commit-id: ebb15735f10
a4d572
---
a4d572
 grub-core/loader/i386/linux.c    |  9 +++++++--
a4d572
 grub-core/loader/i386/pc/linux.c |  9 +++++++--
a4d572
 grub-core/loader/i386/xen.c      | 12 ++++++++++--
a4d572
 grub-core/loader/xnu.c           | 11 +++++++----
a4d572
 4 files changed, 31 insertions(+), 10 deletions(-)
a4d572
a4d572
diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c
a4d572
index 76304f05700..b4a30f607fa 100644
a4d572
--- a/grub-core/loader/i386/linux.c
a4d572
+++ b/grub-core/loader/i386/linux.c
a4d572
@@ -37,6 +37,7 @@
a4d572
 #include <grub/linux.h>
a4d572
 #include <grub/efi/sb.h>
a4d572
 #include <grub/tpm.h>
a4d572
+#include <grub/safemath.h>
a4d572
 
a4d572
 GRUB_MOD_LICENSE ("GPLv3+");
a4d572
 
a4d572
@@ -593,9 +594,13 @@ grub_linux_boot (void)
a4d572
 
a4d572
   {
a4d572
     grub_relocator_chunk_t ch;
a4d572
+    grub_size_t sz;
a4d572
+
a4d572
+    if (grub_add (ctx.real_size, efi_mmap_size, &sz))
a4d572
+      return GRUB_ERR_OUT_OF_RANGE;
a4d572
+
a4d572
     err = grub_relocator_alloc_chunk_addr (relocator, &ch,
a4d572
-					   ctx.real_mode_target,
a4d572
-					   (ctx.real_size + efi_mmap_size));
a4d572
+					   ctx.real_mode_target, sz);
a4d572
     if (err)
a4d572
      return err;
a4d572
     real_mode_mem = get_virtual_current_address (ch);
a4d572
diff --git a/grub-core/loader/i386/pc/linux.c b/grub-core/loader/i386/pc/linux.c
a4d572
index 783a3cd93bc..540891371f9 100644
a4d572
--- a/grub-core/loader/i386/pc/linux.c
a4d572
+++ b/grub-core/loader/i386/pc/linux.c
a4d572
@@ -36,6 +36,7 @@
a4d572
 #include <grub/lib/cmdline.h>
a4d572
 #include <grub/linux.h>
a4d572
 #include <grub/efi/sb.h>
a4d572
+#include <grub/safemath.h>
a4d572
 
a4d572
 GRUB_MOD_LICENSE ("GPLv3+");
a4d572
 
a4d572
@@ -231,8 +232,12 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
a4d572
     setup_sects = GRUB_LINUX_DEFAULT_SETUP_SECTS;
a4d572
 
a4d572
   real_size = setup_sects << GRUB_DISK_SECTOR_BITS;
a4d572
-  grub_linux16_prot_size = grub_file_size (file)
a4d572
-    - real_size - GRUB_DISK_SECTOR_SIZE;
a4d572
+  if (grub_sub (grub_file_size (file), real_size, &grub_linux16_prot_size) ||
a4d572
+      grub_sub (grub_linux16_prot_size, GRUB_DISK_SECTOR_SIZE, &grub_linux16_prot_size))
a4d572
+    {
a4d572
+      grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
a4d572
+      goto fail;
a4d572
+    }
a4d572
 
a4d572
   if (! grub_linux_is_bzimage
a4d572
       && GRUB_LINUX_ZIMAGE_ADDR + grub_linux16_prot_size
a4d572
diff --git a/grub-core/loader/i386/xen.c b/grub-core/loader/i386/xen.c
a4d572
index 3073f64d5e5..85b93347b25 100644
a4d572
--- a/grub-core/loader/i386/xen.c
a4d572
+++ b/grub-core/loader/i386/xen.c
a4d572
@@ -40,6 +40,7 @@
a4d572
 #include <grub/xen_file.h>
a4d572
 #include <grub/linux.h>
a4d572
 #include <grub/i386/memory.h>
a4d572
+#include <grub/safemath.h>
a4d572
 
a4d572
 GRUB_MOD_LICENSE ("GPLv3+");
a4d572
 
a4d572
@@ -635,6 +636,7 @@ grub_cmd_xen (grub_command_t cmd __attribute__ ((unused)),
a4d572
   grub_relocator_chunk_t ch;
a4d572
   grub_addr_t kern_start;
a4d572
   grub_addr_t kern_end;
a4d572
+  grub_size_t sz;
a4d572
 
a4d572
   if (argc == 0)
a4d572
     return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
a4d572
@@ -699,8 +701,14 @@ grub_cmd_xen (grub_command_t cmd __attribute__ ((unused)),
a4d572
 
a4d572
   xen_state.max_addr = ALIGN_UP (kern_end, PAGE_SIZE);
a4d572
 
a4d572
-  err = grub_relocator_alloc_chunk_addr (xen_state.relocator, &ch, kern_start,
a4d572
-					 kern_end - kern_start);
a4d572
+
a4d572
+  if (grub_sub (kern_end, kern_start, &sz))
a4d572
+    {
a4d572
+      err = GRUB_ERR_OUT_OF_RANGE;
a4d572
+      goto fail;
a4d572
+    }
a4d572
+
a4d572
+  err = grub_relocator_alloc_chunk_addr (xen_state.relocator, &ch, kern_start, sz);
a4d572
   if (err)
a4d572
     goto fail;
a4d572
   kern_chunk_src = get_virtual_current_address (ch);
a4d572
diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c
a4d572
index dc7d5409e1e..2bf02489bad 100644
a4d572
--- a/grub-core/loader/xnu.c
a4d572
+++ b/grub-core/loader/xnu.c
a4d572
@@ -34,6 +34,7 @@
a4d572
 #include <grub/env.h>
a4d572
 #include <grub/i18n.h>
a4d572
 #include <grub/efi/sb.h>
a4d572
+#include <grub/safemath.h>
a4d572
 
a4d572
 GRUB_MOD_LICENSE ("GPLv3+");
a4d572
 
a4d572
@@ -59,15 +60,17 @@ grub_xnu_heap_malloc (int size, void **src, grub_addr_t *target)
a4d572
 {
a4d572
   grub_err_t err;
a4d572
   grub_relocator_chunk_t ch;
a4d572
+  grub_addr_t tgt;
a4d572
+
a4d572
+  if (grub_add (grub_xnu_heap_target_start, grub_xnu_heap_size, &tgt))
a4d572
+    return GRUB_ERR_OUT_OF_RANGE;
a4d572
   
a4d572
-  err = grub_relocator_alloc_chunk_addr (grub_xnu_relocator, &ch,
a4d572
-					 grub_xnu_heap_target_start
a4d572
-					 + grub_xnu_heap_size, size);
a4d572
+  err = grub_relocator_alloc_chunk_addr (grub_xnu_relocator, &ch, tgt, size);
a4d572
   if (err)
a4d572
     return err;
a4d572
 
a4d572
   *src = get_virtual_current_address (ch);
a4d572
-  *target = grub_xnu_heap_target_start + grub_xnu_heap_size;
a4d572
+  *target = tgt;
a4d572
   grub_xnu_heap_size += size;
a4d572
   grub_dprintf ("xnu", "val=%p\n", *src);
a4d572
   return GRUB_ERR_NONE;