From: Jonathan Bar Or Date: Thu, 23 Jan 2025 18:17:05 +0000 (+0100) Subject: commands/read: Fix an integer overflow when supplying more than 2^31 characters X-Git-Tag: archive/raspbian/2.12-8+rpi1^2~35 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=c51e33a6ed454670ba2b8c28e1538e086058b4dc;p=grub2.git commands/read: Fix an integer overflow when supplying more than 2^31 characters The grub_getline() function currently has a signed integer variable "i" that can be overflown when user supplies more than 2^31 characters. It results in a memory corruption of the allocated line buffer as well as supplying large negative values to grub_realloc(). Fixes: CVE-2025-0690 Reported-by: Jonathan Bar Or Signed-off-by: Jonathan Bar Or Reviewed-by: Daniel Kiper Gbp-Pq: Topic cve-2025-jan Gbp-Pq: Name commands-read-Fix-an-integer-overflow-when-supplying-more.patch --- diff --git a/grub-core/commands/read.c b/grub-core/commands/read.c index 597c907..8d72e45 100644 --- a/grub-core/commands/read.c +++ b/grub-core/commands/read.c @@ -25,6 +25,7 @@ #include #include #include +#include GRUB_MOD_LICENSE ("GPLv3+"); @@ -37,13 +38,14 @@ static const struct grub_arg_option options[] = static char * grub_getline (int silent) { - int i; + grub_size_t i; char *line; char *tmp; int c; + grub_size_t alloc_size; i = 0; - line = grub_malloc (1 + i + sizeof('\0')); + line = grub_malloc (1 + sizeof('\0')); if (! line) return NULL; @@ -59,8 +61,17 @@ grub_getline (int silent) line[i] = (char) c; if (!silent) grub_printf ("%c", c); - i++; - tmp = grub_realloc (line, 1 + i + sizeof('\0')); + if (grub_add (i, 1, &i)) + { + grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); + return NULL; + } + if (grub_add (i, 1 + sizeof('\0'), &alloc_size)) + { + grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); + return NULL; + } + tmp = grub_realloc (line, alloc_size); if (! tmp) { grub_free (line);