projects / grub2.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 38fcd9e) | patch
kern/dl: Fix for an integer overflow in grub_dl_ref()
authorB Horn <b@horn.uk>
Thu, 18 Apr 2024 14:59:26 +0000 (15:59 +0100)
committerMiao Wang <shankerwangmiao@gmail.com>
Sun, 15 Feb 2026 13:50:20 +0000 (13:50 +0000)
commite30e5019cf9fdb16cec39c93b785308c1cc96d2f
treeb6e0719194cb73ee260e0ffb297960655b4f2d17tree | snapshot
parent38fcd9e392401bf28599729cfbd2f8c18390af7fcommit | diff
kern/dl: Fix for an integer overflow in grub_dl_ref()

It was possible to overflow the value of mod->ref_count, a signed
integer, by repeatedly invoking insmod on an already loaded module.
This led to a use-after-free. As once ref_count was overflowed it became
possible to unload the module while there was still references to it.

This resolves the issue by using grub_add() to check if the ref_count
will overflow and then stops further increments. Further changes were
also made to grub_dl_unref() to check for the underflow condition and
the reference count was changed to an unsigned 64-bit integer.

Reported-by: B Horn <b@horn.uk>
Signed-off-by: B Horn <b@horn.uk>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Gbp-Pq: Topic cve-2025-jan
Gbp-Pq: Name kern-dl-Fix-for-an-integer-overflow-in-grub_dl_ref.patch
grub-core/commands/minicmd.c diff | blob | history
grub-core/kern/dl.c diff | blob | history
include/grub/dl.h diff | blob | history
util/misc.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.