dgit.raspbian.org Git - grub2.git/commit

author	B Horn <b@horn.uk>
	Fri, 15 Nov 2024 13:12:09 +0000 (13:12 +0000)
committer	Felix Zielcke <fzielcke@z-51.de>
	Thu, 3 Jul 2025 16:35:51 +0000 (18:35 +0200)
commit	7297a2ab4d58ac449f4f1ca5c362651291019275
tree	d89b84727f2a9dfcc8147e060cefdea413fd8bfe	tree \| snapshot
parent	ccc6db2618e9772bbf2f703dcbcd4ca9e957cac0	commit \| diff

net: Fix OOB write in grub_net_search_config_file()

The function included a call to grub_strcpy() which copied data from an
environment variable to a buffer allocated in grub_cmd_normal(). The
grub_cmd_normal() didn't consider the length of the environment variable.
So, the copy operation could exceed the allocation and lead to an OOB
write. Fix the issue by replacing grub_strcpy() with grub_strlcpy() and
pass the underlying buffers size to the grub_net_search_config_file().

Fixes: CVE-2025-0624
Reported-by: B Horn <b@horn.uk>
Signed-off-by: B Horn <b@horn.uk>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Conflicts:
grub-core/normal/main.c

Gbp-Pq: Topic cve-2025-jan
Gbp-Pq: Name net-Fix-OOB-write-in-grub_net_search_config_file.patch

grub-core/net/net.c		diff \| blob \| history
grub-core/normal/main.c		diff \| blob \| history
include/grub/net.h		diff \| blob \| history