dgit.raspbian.org Git - grub2.git/commit

author	B Horn <b@horn.uk>
	Fri, 15 Nov 2024 13:12:09 +0000 (13:12 +0000)
committer	Felix Zielcke <fzielcke@z-51.de>
	Wed, 11 Jun 2025 15:42:34 +0000 (17:42 +0200)
commit	206992e2d9d33dc5b820a0d41a88dcd3f659b441
tree	f3123e5b99cfc7bbd677c95820e870b03098084f	tree \| snapshot
parent	441a2888d5b739975b762f53643ecfd0982e54e0	commit \| diff

net: Fix OOB write in grub_net_search_config_file()

The function included a call to grub_strcpy() which copied data from an
environment variable to a buffer allocated in grub_cmd_normal(). The
grub_cmd_normal() didn't consider the length of the environment variable.
So, the copy operation could exceed the allocation and lead to an OOB
write. Fix the issue by replacing grub_strcpy() with grub_strlcpy() and
pass the underlying buffers size to the grub_net_search_config_file().

Fixes: CVE-2025-0624
Reported-by: B Horn <b@horn.uk>
Signed-off-by: B Horn <b@horn.uk>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Conflicts:
grub-core/normal/main.c

Gbp-Pq: Topic cve-2025-jan
Gbp-Pq: Name net-Fix-OOB-write-in-grub_net_search_config_file.patch

grub-core/net/net.c		diff \| blob \| history
grub-core/normal/main.c		diff \| blob \| history
include/grub/net.h		diff \| blob \| history