From: Lidong Chen <lidong.chen@oracle.com>
Date: Fri, 22 Nov 2024 06:27:57 +0000 (+0000)
Subject: gettext: Integer overflow leads to heap OOB write
X-Git-Tag: archive/raspbian/2.12-8+rpi1^2~36
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=ae3314c1291c62d31d8d0b3a208e00bc2b208d3f;p=grub2.git

gettext: Integer overflow leads to heap OOB write

The size calculation of the translation buffer in
grub_gettext_getstr_from_position() may overflow
to 0 leading to heap OOB write. This patch fixes
the issue by using grub_add() and checking for
an overflow.

Fixes: CVE-2024-45777

Reported-by: Nils Langius <nils@langius.de>
Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Alec Brown <alec.r.brown@oracle.com>

Gbp-Pq: Topic cve-2025-jan
Gbp-Pq: Name gettext-Integer-overflow-leads-to-heap-OOB-write.patch
---

diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c
index 635c4ad..f6a9f5a 100644
--- a/grub-core/gettext/gettext.c
+++ b/grub-core/gettext/gettext.c
@@ -26,6 +26,7 @@
 #include <grub/file.h>
 #include <grub/kernel.h>
 #include <grub/i18n.h>
+#include <grub/safemath.h>
 
 GRUB_MOD_LICENSE ("GPLv3+");
 
@@ -99,6 +100,7 @@ grub_gettext_getstr_from_position (struct grub_gettext_context *ctx,
   char *translation;
   struct string_descriptor desc;
   grub_err_t err;
+  grub_size_t alloc_sz;
 
   internal_position = (off + position * sizeof (desc));
 
@@ -109,7 +111,10 @@ grub_gettext_getstr_from_position (struct grub_gettext_context *ctx,
   length = grub_cpu_to_le32 (desc.length);
   offset = grub_cpu_to_le32 (desc.offset);
 
-  translation = grub_malloc (length + 1);
+  if (grub_add (length, 1, &alloc_sz))
+    return NULL;
+
+  translation = grub_malloc (alloc_sz);
   if (!translation)
     return NULL;