grub2/0020-fs-Prevent-overflows-when-allocating-memory-for-arra.patch

From 53a0f0ebe569a846de22085c654ea4fbdfb6a154 Mon Sep 17 00:00:00 2001
From: Lidong Chen <lidong.chen@oracle.com>
Date: Tue, 21 Jan 2025 19:02:37 +0000
Subject: [PATCH 20/20] fs: Prevent overflows when allocating memory for arrays

Use grub_calloc() when allocating memory for arrays to ensure proper
overflow checks are in place.

The HFS+ and squash4 security vulnerabilities were reported by
Jonathan Bar Or <jonathanbaror@gmail.com>.

Fixes: CVE-2025-0678
Fixes: CVE-2025-1125

Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 grub-core/fs/btrfs.c       | 4 ++--
 grub-core/fs/hfspluscomp.c | 9 +++++++--
 grub-core/fs/squash4.c     | 8 ++++----
 3 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c
index 0dd9a817ee..8d0147dac1 100644
--- a/grub-core/fs/btrfs.c
+++ b/grub-core/fs/btrfs.c
@@ -1409,8 +1409,8 @@ grub_btrfs_mount (grub_device_t dev)
     }
 
   data->n_devices_allocated = 16;
-  data->devices_attached = grub_malloc (sizeof (data->devices_attached[0])
-					* data->n_devices_allocated);
+  data->devices_attached = grub_calloc (data->n_devices_allocated,
+					sizeof (data->devices_attached[0]));
   if (!data->devices_attached)
     {
       grub_free (data);
diff --git a/grub-core/fs/hfspluscomp.c b/grub-core/fs/hfspluscomp.c
index 48ae438d85..a80954ee61 100644
--- a/grub-core/fs/hfspluscomp.c
+++ b/grub-core/fs/hfspluscomp.c
@@ -244,14 +244,19 @@ hfsplus_open_compressed_real (struct grub_hfsplus_file *node)
 	  return 0;
 	}
       node->compress_index_size = grub_le_to_cpu32 (index_size);
-      node->compress_index = grub_malloc (node->compress_index_size
-					  * sizeof (node->compress_index[0]));
+      node->compress_index = grub_calloc (node->compress_index_size,
+					  sizeof (node->compress_index[0]));
       if (!node->compress_index)
 	{
 	  node->compressed = 0;
 	  grub_free (attr_node);
 	  return grub_errno;
 	}
+
+      /*
+       * The node->compress_index_size * sizeof (node->compress_index[0]) is safe here
+       * due to relevant checks done in grub_calloc() above.
+       */
       if (grub_hfsplus_read_file (node, 0, 0,
 				  0x104 + sizeof (index_size),
 				  node->compress_index_size
diff --git a/grub-core/fs/squash4.c b/grub-core/fs/squash4.c
index 6e9d63874c..77aa4fbf3a 100644
--- a/grub-core/fs/squash4.c
+++ b/grub-core/fs/squash4.c
@@ -816,10 +816,10 @@ direct_read (struct grub_squash_data *data,
 	  break;
 	}
       total_blocks = ((total_size + data->blksz - 1) >> data->log2_blksz);
-      ino->block_sizes = grub_malloc (total_blocks
-				      * sizeof (ino->block_sizes[0]));
-      ino->cumulated_block_sizes = grub_malloc (total_blocks
-						* sizeof (ino->cumulated_block_sizes[0]));
+      ino->block_sizes = grub_calloc (total_blocks,
+				      sizeof (ino->block_sizes[0]));
+      ino->cumulated_block_sizes = grub_calloc (total_blocks,
+						sizeof (ino->cumulated_block_sizes[0]));
       if (!ino->block_sizes || !ino->cumulated_block_sizes)
 	{
 	  grub_free (ino->block_sizes);
-- 
2.48.1
Accepting request 1246819 from home:michael-chang:branches:Base:System - Security fixes for 2024 * 0001-misc-Implement-grub_strlcpy.patch - Fix CVE-2024-45781 (bsc#1233617) * 0002-fs-ufs-Fix-a-heap-OOB-write.patch - Fix CVE-2024-56737 (bsc#1234958) - Fix CVE-2024-45782 (bsc#1233615) * 0003-fs-hfs-Fix-stack-OOB-write-with-grub_strcpy.patch - Fix CVE-2024-45780 (bsc#1233614) * 0004-fs-tar-Integer-overflow-leads-to-heap-OOB-write.patch - Fix CVE-2024-45783 (bsc#1233616) * 0005-fs-hfsplus-Set-a-grub_errno-if-mount-fails.patch * 0006-kern-file-Ensure-file-data-is-set.patch * 0007-kern-file-Implement-filesystem-reference-counting.patch - Fix CVE-2025-0624 (bsc#1236316) * 0008-net-Fix-OOB-write-in-grub_net_search_config_file.patch - Fix CVE-2024-45774 (bsc#1233609) * 0009-video-readers-jpeg-Do-not-permit-duplicate-SOF0-mark.patch - Fix CVE-2024-45775 (bsc#1233610) * 0010-commands-extcmd-Missing-check-for-failed-allocation.patch - Fix CVE-2025-0622 (bsc#1236317) * 0011-commands-pgp-Unregister-the-check_signatures-hooks-o.patch - Fix CVE-2025-0622 (bsc#1236317) * 0012-normal-Remove-variables-hooks-on-module-unload.patch - Fix CVE-2025-0622 (bsc#1236317) * 0013-gettext-Remove-variables-hooks-on-module-unload.patch - Fix CVE-2024-45776 (bsc#1233612) * 0014-gettext-Integer-overflow-leads-to-heap-OOB-write-or-.patch - Fix CVE-2024-45777 (bsc#1233613) * 0015-gettext-Integer-overflow-leads-to-heap-OOB-write.patch - Fix CVE-2025-0690 (bsc#1237012) OBS-URL: https://build.opensuse.org/request/show/1246819 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=528 2025-02-19 01:23:28 +00:00			`From 53a0f0ebe569a846de22085c654ea4fbdfb6a154 Mon Sep 17 00:00:00 2001`
			`From: Lidong Chen <lidong.chen@oracle.com>`
			`Date: Tue, 21 Jan 2025 19:02:37 +0000`
			`Subject: [PATCH 20/20] fs: Prevent overflows when allocating memory for arrays`

			`Use grub_calloc() when allocating memory for arrays to ensure proper`
			`overflow checks are in place.`

			`The HFS+ and squash4 security vulnerabilities were reported by`
			`Jonathan Bar Or <jonathanbaror@gmail.com>.`

			`Fixes: CVE-2025-0678`
			`Fixes: CVE-2025-1125`

			`Signed-off-by: Lidong Chen <lidong.chen@oracle.com>`
			`Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>`
			`---`
			`grub-core/fs/btrfs.c \| 4 ++--`
			`grub-core/fs/hfspluscomp.c \| 9 +++++++--`
			`grub-core/fs/squash4.c \| 8 ++++----`
			`3 files changed, 13 insertions(+), 8 deletions(-)`

			`diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c`
			`index 0dd9a817ee..8d0147dac1 100644`
			`--- a/grub-core/fs/btrfs.c`
			`+++ b/grub-core/fs/btrfs.c`
			`@@ -1409,8 +1409,8 @@ grub_btrfs_mount (grub_device_t dev)`
			`}`

			`data->n_devices_allocated = 16;`
			`- data->devices_attached = grub_malloc (sizeof (data->devices_attached[0])`
			`- * data->n_devices_allocated);`
			`+ data->devices_attached = grub_calloc (data->n_devices_allocated,`
			`+ sizeof (data->devices_attached[0]));`
			`if (!data->devices_attached)`
			`{`
			`grub_free (data);`
			`diff --git a/grub-core/fs/hfspluscomp.c b/grub-core/fs/hfspluscomp.c`
			`index 48ae438d85..a80954ee61 100644`
			`--- a/grub-core/fs/hfspluscomp.c`
			`+++ b/grub-core/fs/hfspluscomp.c`
			`@@ -244,14 +244,19 @@ hfsplus_open_compressed_real (struct grub_hfsplus_file *node)`
			`return 0;`
			`}`
			`node->compress_index_size = grub_le_to_cpu32 (index_size);`
			`- node->compress_index = grub_malloc (node->compress_index_size`
			`- * sizeof (node->compress_index[0]));`
			`+ node->compress_index = grub_calloc (node->compress_index_size,`
			`+ sizeof (node->compress_index[0]));`
			`if (!node->compress_index)`
			`{`
			`node->compressed = 0;`
			`grub_free (attr_node);`
			`return grub_errno;`
			`}`
			`+`
			`+ /*`
			`+ * The node->compress_index_size * sizeof (node->compress_index[0]) is safe here`
			`+ * due to relevant checks done in grub_calloc() above.`
			`+ */`
			`if (grub_hfsplus_read_file (node, 0, 0,`
			`0x104 + sizeof (index_size),`
			`node->compress_index_size`
			`diff --git a/grub-core/fs/squash4.c b/grub-core/fs/squash4.c`
			`index 6e9d63874c..77aa4fbf3a 100644`
			`--- a/grub-core/fs/squash4.c`
			`+++ b/grub-core/fs/squash4.c`
			`@@ -816,10 +816,10 @@ direct_read (struct grub_squash_data *data,`
			`break;`
			`}`
			`total_blocks = ((total_size + data->blksz - 1) >> data->log2_blksz);`
			`- ino->block_sizes = grub_malloc (total_blocks`
			`- * sizeof (ino->block_sizes[0]));`
			`- ino->cumulated_block_sizes = grub_malloc (total_blocks`
			`- * sizeof (ino->cumulated_block_sizes[0]));`
			`+ ino->block_sizes = grub_calloc (total_blocks,`
			`+ sizeof (ino->block_sizes[0]));`
			`+ ino->cumulated_block_sizes = grub_calloc (total_blocks,`
			`+ sizeof (ino->cumulated_block_sizes[0]));`
			`if (!ino->block_sizes \|\| !ino->cumulated_block_sizes)`
			`{`
			`grub_free (ino->block_sizes);`
			`--`
			`2.48.1`