projects / grub2.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 47cb234) | patch
kern/dl: Fix for an integer overflow in grub_dl_ref()
authorB Horn <b@horn.uk>
Thu, 18 Apr 2024 14:59:26 +0000 (15:59 +0100)
committerFelix Zielcke <fzielcke@z-51.de>
Wed, 11 Jun 2025 15:42:34 +0000 (17:42 +0200)
commita5b2949c77f809b6143b54e387b05bca3b881bf4
tree159458b10ca10b0eef7c58940d24891e310a548etree | snapshot
parent47cb2349da8bf9bb4322ba2b64a2e42d50876b59commit | diff
kern/dl: Fix for an integer overflow in grub_dl_ref()

It was possible to overflow the value of mod->ref_count, a signed
integer, by repeatedly invoking insmod on an already loaded module.
This led to a use-after-free. As once ref_count was overflowed it became
possible to unload the module while there was still references to it.

This resolves the issue by using grub_add() to check if the ref_count
will overflow and then stops further increments. Further changes were
also made to grub_dl_unref() to check for the underflow condition and
the reference count was changed to an unsigned 64-bit integer.

Reported-by: B Horn <b@horn.uk>
Signed-off-by: B Horn <b@horn.uk>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Gbp-Pq: Topic cve-2025-jan
Gbp-Pq: Name kern-dl-Fix-for-an-integer-overflow-in-grub_dl_ref.patch
grub-core/commands/minicmd.c diff | blob | history
grub-core/kern/dl.c diff | blob | history
include/grub/dl.h diff | blob | history
util/misc.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.