meta/recipes-bsp/grub/files/0008-linux-Fix-integer-overflows-in-initrd-size-handling.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173

From 68a09a74f6d726d79709847f3671c0a08e4fb5a0 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sat, 25 Jul 2020 12:15:37 +0100
Subject: [PATCH 9/9] linux: Fix integer overflows in initrd size handling

These could be triggered by a crafted filesystem with very large files.

Fixes: CVE-2020-15707

Upstream-Status: Backport [commit e7b8856f8be3292afdb38d2e8c70ad8d62a61e10
from https://git.savannah.gnu.org/git/grub.git]

Signed-off-by: Colin Watson <cjwatson@debian.org>
Reviewed-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
---
 grub-core/loader/linux.c | 74 +++++++++++++++++++++++++++++++++++-------------
 1 file changed, 54 insertions(+), 20 deletions(-)

diff --git a/grub-core/loader/linux.c b/grub-core/loader/linux.c
index 471b214..8c8565a 100644
--- a/grub-core/loader/linux.c
+++ b/grub-core/loader/linux.c
@@ -4,6 +4,7 @@
 #include <grub/misc.h>
 #include <grub/file.h>
 #include <grub/mm.h>
+#include <grub/safemath.h>
 
 struct newc_head
 {
@@ -98,13 +99,13 @@ free_dir (struct dir *root)
   grub_free (root);
 }
 
-static grub_size_t
+static grub_err_t
 insert_dir (const char *name, struct dir **root,
-	    grub_uint8_t *ptr)
+	    grub_uint8_t *ptr, grub_size_t *size)
 {
   struct dir *cur, **head = root;
   const char *cb, *ce = name;
-  grub_size_t size = 0;
+  *size = 0;
   while (1)
     {
       for (cb = ce; *cb == '/'; cb++);
@@ -130,14 +131,22 @@ insert_dir (const char *name, struct dir **root,
 	      ptr = make_header (ptr, name, ce - name,
 				 040777, 0);
 	    }
-	  size += ALIGN_UP ((ce - (char *) name)
-			    + sizeof (struct newc_head), 4);
+	  if (grub_add (*size,
+		        ALIGN_UP ((ce - (char *) name)
+				  + sizeof (struct newc_head), 4),
+			size))
+	    {
+	      grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
+	      grub_free (n->name);
+	      grub_free (n);
+	      return grub_errno;
+	    }
 	  *head = n;
 	  cur = n;
 	}
       root = &cur->next;
     }
-  return size;
+  return GRUB_ERR_NONE;
 }
 
 grub_err_t
@@ -173,26 +182,33 @@ grub_initrd_init (int argc, char *argv[],
 	  eptr = grub_strchr (ptr, ':');
 	  if (eptr)
 	    {
+	      grub_size_t dir_size, name_len;
+
 	      initrd_ctx->components[i].newc_name = grub_strndup (ptr, eptr - ptr);
-	      if (!initrd_ctx->components[i].newc_name)
+	      if (!initrd_ctx->components[i].newc_name ||
+		  insert_dir (initrd_ctx->components[i].newc_name, &root, 0,
+			      &dir_size))
 		{
 		  grub_initrd_close (initrd_ctx);
 		  return grub_errno;
 		}
-	      initrd_ctx->size
-		+= ALIGN_UP (sizeof (struct newc_head)
-			    + grub_strlen (initrd_ctx->components[i].newc_name),
-			     4);
-	      initrd_ctx->size += insert_dir (initrd_ctx->components[i].newc_name,
-					      &root, 0);
+	      name_len = grub_strlen (initrd_ctx->components[i].newc_name);
+	      if (grub_add (initrd_ctx->size,
+			    ALIGN_UP (sizeof (struct newc_head) + name_len, 4),
+			    &initrd_ctx->size) ||
+		  grub_add (initrd_ctx->size, dir_size, &initrd_ctx->size))
+		goto overflow;
 	      newc = 1;
 	      fname = eptr + 1;
 	    }
 	}
       else if (newc)
 	{
-	  initrd_ctx->size += ALIGN_UP (sizeof (struct newc_head)
-					+ sizeof ("TRAILER!!!") - 1, 4);
+	  if (grub_add (initrd_ctx->size,
+			ALIGN_UP (sizeof (struct newc_head)
+				  + sizeof ("TRAILER!!!") - 1, 4),
+			&initrd_ctx->size))
+	    goto overflow;
 	  free_dir (root);
 	  root = 0;
 	  newc = 0;
@@ -208,19 +224,29 @@ grub_initrd_init (int argc, char *argv[],
       initrd_ctx->nfiles++;
       initrd_ctx->components[i].size
 	= grub_file_size (initrd_ctx->components[i].file);
-      initrd_ctx->size += initrd_ctx->components[i].size;
+      if (grub_add (initrd_ctx->size, initrd_ctx->components[i].size,
+		    &initrd_ctx->size))
+	goto overflow;
     }
 
   if (newc)
     {
       initrd_ctx->size = ALIGN_UP (initrd_ctx->size, 4);
-      initrd_ctx->size += ALIGN_UP (sizeof (struct newc_head)
-				    + sizeof ("TRAILER!!!") - 1, 4);
+      if (grub_add (initrd_ctx->size,
+		    ALIGN_UP (sizeof (struct newc_head)
+			      + sizeof ("TRAILER!!!") - 1, 4),
+		    &initrd_ctx->size))
+	goto overflow;
       free_dir (root);
       root = 0;
     }
   
   return GRUB_ERR_NONE;
+
+ overflow:
+  free_dir (root);
+  grub_initrd_close (initrd_ctx);
+  return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
 }
 
 grub_size_t
@@ -261,8 +287,16 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx,
 
       if (initrd_ctx->components[i].newc_name)
 	{
-	  ptr += insert_dir (initrd_ctx->components[i].newc_name,
-			     &root, ptr);
+	  grub_size_t dir_size;
+
+	  if (insert_dir (initrd_ctx->components[i].newc_name, &root, ptr,
+			  &dir_size))
+	    {
+	      free_dir (root);
+	      grub_initrd_close (initrd_ctx);
+	      return grub_errno;
+	    }
+	  ptr += dir_size;
 	  ptr = make_header (ptr, initrd_ctx->components[i].newc_name,
 			     grub_strlen (initrd_ctx->components[i].newc_name),
 			     0100777,
-- 
2.14.4