47cf63735c
Resolves: CVE-2020-10713 Resolves: CVE-2020-14308 Resolves: CVE-2020-14309 Resolves: CVE-2020-14310 Resolves: CVE-2020-14311 Resolves: CVE-2020-15705 Resolves: CVE-2020-15706 Resolves: CVE-2020-15707 Signed-off-by: Peter Jones <pjones@redhat.com>
148 lines
4.8 KiB
Diff
148 lines
4.8 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Alexey Makhalov <amakhalov@vmware.com>
|
|
Date: Wed, 15 Jul 2020 06:42:37 +0000
|
|
Subject: [PATCH] relocator: Protect grub_relocator_alloc_chunk_addr() input
|
|
args against integer underflow/overflow
|
|
|
|
Use arithmetic macros from safemath.h to accomplish it. In this commit,
|
|
I didn't want to be too paranoid to check every possible math equation
|
|
for overflow/underflow. Only obvious places (with non zero chance of
|
|
overflow/underflow) were refactored.
|
|
|
|
Signed-off-by: Alexey Makhalov <amakhalov@vmware.com>
|
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
Upstream-commit-id: ebb15735f10
|
|
---
|
|
grub-core/loader/i386/linux.c | 9 +++++++--
|
|
grub-core/loader/i386/pc/linux.c | 9 +++++++--
|
|
grub-core/loader/i386/xen.c | 12 ++++++++++--
|
|
grub-core/loader/xnu.c | 11 +++++++----
|
|
4 files changed, 31 insertions(+), 10 deletions(-)
|
|
|
|
diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c
|
|
index 201e6597c6d..90f2315f847 100644
|
|
--- a/grub-core/loader/i386/linux.c
|
|
+++ b/grub-core/loader/i386/linux.c
|
|
@@ -37,6 +37,7 @@
|
|
#include <grub/linux.h>
|
|
#include <grub/machine/kernel.h>
|
|
#include <grub/efi/sb.h>
|
|
+#include <grub/safemath.h>
|
|
|
|
GRUB_MOD_LICENSE ("GPLv3+");
|
|
|
|
@@ -548,9 +549,13 @@ grub_linux_boot (void)
|
|
|
|
{
|
|
grub_relocator_chunk_t ch;
|
|
+ grub_size_t sz;
|
|
+
|
|
+ if (grub_add (ctx.real_size, efi_mmap_size, &sz))
|
|
+ return GRUB_ERR_OUT_OF_RANGE;
|
|
+
|
|
err = grub_relocator_alloc_chunk_addr (relocator, &ch,
|
|
- ctx.real_mode_target,
|
|
- (ctx.real_size + efi_mmap_size));
|
|
+ ctx.real_mode_target, sz);
|
|
if (err)
|
|
return err;
|
|
real_mode_mem = get_virtual_current_address (ch);
|
|
diff --git a/grub-core/loader/i386/pc/linux.c b/grub-core/loader/i386/pc/linux.c
|
|
index 0bf0e13d647..33d1196b1e2 100644
|
|
--- a/grub-core/loader/i386/pc/linux.c
|
|
+++ b/grub-core/loader/i386/pc/linux.c
|
|
@@ -36,6 +36,7 @@
|
|
#include <grub/lib/cmdline.h>
|
|
#include <grub/linux.h>
|
|
#include <grub/efi/sb.h>
|
|
+#include <grub/safemath.h>
|
|
|
|
GRUB_MOD_LICENSE ("GPLv3+");
|
|
|
|
@@ -231,8 +232,12 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
|
|
setup_sects = GRUB_LINUX_DEFAULT_SETUP_SECTS;
|
|
|
|
real_size = setup_sects << GRUB_DISK_SECTOR_BITS;
|
|
- grub_linux16_prot_size = grub_file_size (file)
|
|
- - real_size - GRUB_DISK_SECTOR_SIZE;
|
|
+ if (grub_sub (grub_file_size (file), real_size, &grub_linux16_prot_size) ||
|
|
+ grub_sub (grub_linux16_prot_size, GRUB_DISK_SECTOR_SIZE, &grub_linux16_prot_size))
|
|
+ {
|
|
+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
|
|
+ goto fail;
|
|
+ }
|
|
|
|
if (! grub_linux_is_bzimage
|
|
&& GRUB_LINUX_ZIMAGE_ADDR + grub_linux16_prot_size
|
|
diff --git a/grub-core/loader/i386/xen.c b/grub-core/loader/i386/xen.c
|
|
index 8f662c8ac89..cd24874ca32 100644
|
|
--- a/grub-core/loader/i386/xen.c
|
|
+++ b/grub-core/loader/i386/xen.c
|
|
@@ -41,6 +41,7 @@
|
|
#include <grub/linux.h>
|
|
#include <grub/i386/memory.h>
|
|
#include <grub/verify.h>
|
|
+#include <grub/safemath.h>
|
|
|
|
GRUB_MOD_LICENSE ("GPLv3+");
|
|
|
|
@@ -636,6 +637,7 @@ grub_cmd_xen (grub_command_t cmd __attribute__ ((unused)),
|
|
grub_relocator_chunk_t ch;
|
|
grub_addr_t kern_start;
|
|
grub_addr_t kern_end;
|
|
+ grub_size_t sz;
|
|
|
|
if (argc == 0)
|
|
return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
|
|
@@ -703,8 +705,14 @@ grub_cmd_xen (grub_command_t cmd __attribute__ ((unused)),
|
|
|
|
xen_state.max_addr = ALIGN_UP (kern_end, PAGE_SIZE);
|
|
|
|
- err = grub_relocator_alloc_chunk_addr (xen_state.relocator, &ch, kern_start,
|
|
- kern_end - kern_start);
|
|
+
|
|
+ if (grub_sub (kern_end, kern_start, &sz))
|
|
+ {
|
|
+ err = GRUB_ERR_OUT_OF_RANGE;
|
|
+ goto fail;
|
|
+ }
|
|
+
|
|
+ err = grub_relocator_alloc_chunk_addr (xen_state.relocator, &ch, kern_start, sz);
|
|
if (err)
|
|
goto fail;
|
|
kern_chunk_src = get_virtual_current_address (ch);
|
|
diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c
|
|
index 2f0ebd0b8bf..3fd653993f7 100644
|
|
--- a/grub-core/loader/xnu.c
|
|
+++ b/grub-core/loader/xnu.c
|
|
@@ -35,6 +35,7 @@
|
|
#include <grub/i18n.h>
|
|
#include <grub/verify.h>
|
|
#include <grub/efi/sb.h>
|
|
+#include <grub/safemath.h>
|
|
|
|
GRUB_MOD_LICENSE ("GPLv3+");
|
|
|
|
@@ -60,15 +61,17 @@ grub_xnu_heap_malloc (int size, void **src, grub_addr_t *target)
|
|
{
|
|
grub_err_t err;
|
|
grub_relocator_chunk_t ch;
|
|
+ grub_addr_t tgt;
|
|
+
|
|
+ if (grub_add (grub_xnu_heap_target_start, grub_xnu_heap_size, &tgt))
|
|
+ return GRUB_ERR_OUT_OF_RANGE;
|
|
|
|
- err = grub_relocator_alloc_chunk_addr (grub_xnu_relocator, &ch,
|
|
- grub_xnu_heap_target_start
|
|
- + grub_xnu_heap_size, size);
|
|
+ err = grub_relocator_alloc_chunk_addr (grub_xnu_relocator, &ch, tgt, size);
|
|
if (err)
|
|
return err;
|
|
|
|
*src = get_virtual_current_address (ch);
|
|
- *target = grub_xnu_heap_target_start + grub_xnu_heap_size;
|
|
+ *target = tgt;
|
|
grub_xnu_heap_size += size;
|
|
grub_dprintf ("xnu", "val=%p\n", *src);
|
|
return GRUB_ERR_NONE;
|