From de9400db3f181e059f9ab1bb6a667ae2c29baf03 Mon Sep 17 00:00:00 2001
From: B Horn <b@horn.uk>
Date: Fri, 15 Nov 2024 13:12:09 +0000
Subject: [PATCH 08/20] net: Fix OOB write in grub_net_search_config_file()

The function included a call to grub_strcpy() which copied data from an
environment variable to a buffer allocated in grub_cmd_normal(). The
grub_cmd_normal() didn't consider the length of the environment variable.
So, the copy operation could exceed the allocation and lead to an OOB
write. Fix the issue by replacing grub_strcpy() with grub_strlcpy() and
pass the underlying buffers size to the grub_net_search_config_file().

Fixes: CVE-2025-0624

Reported-by: B Horn <b@horn.uk>
Signed-off-by: B Horn <b@horn.uk>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 grub-core/net/net.c     | 7 ++++---
 grub-core/normal/main.c | 2 +-
 include/grub/net.h      | 2 +-
 3 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/grub-core/net/net.c b/grub-core/net/net.c
index 22221dc6a0..df13c3aaaa 100644
--- a/grub-core/net/net.c
+++ b/grub-core/net/net.c
@@ -1912,14 +1912,15 @@ grub_config_search_through (char *config, char *suffix,
 }
 
 grub_err_t
-grub_net_search_config_file (char *config)
+grub_net_search_config_file (char *config, grub_size_t config_buf_len)
 {
-  grub_size_t config_len;
+  grub_size_t config_len, suffix_len;
   char *suffix;
 
   config_len = grub_strlen (config);
   config[config_len] = '-';
   suffix = config + config_len + 1;
+  suffix_len = config_buf_len - (config_len + 1);
 
   struct grub_net_network_level_interface *inf;
   FOR_NET_NETWORK_LEVEL_INTERFACES (inf)
@@ -1945,7 +1946,7 @@ grub_net_search_config_file (char *config)
 
       if (client_uuid)
         {
-          grub_strcpy (suffix, client_uuid);
+          grub_strlcpy (suffix, client_uuid, suffix_len);
           if (grub_config_search_through (config, suffix, 1, 0) == 0)
             return GRUB_ERR_NONE;
         }
diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
index b08fd6977d..f2679c4378 100644
--- a/grub-core/normal/main.c
+++ b/grub-core/normal/main.c
@@ -451,7 +451,7 @@ grub_cmd_normal (struct grub_command *cmd __attribute__ ((unused)),
 
           if (grub_strncmp (prefix + 1, "tftp", sizeof ("tftp") - 1) == 0 &&
               !disable_net_search)
-            grub_net_search_config_file (config);
+            grub_net_search_config_file (config, config_len);
 
 	  grub_enter_normal_mode (config);
 	  grub_free (config);
diff --git a/include/grub/net.h b/include/grub/net.h
index dfb089a35c..abb637eaa2 100644
--- a/include/grub/net.h
+++ b/include/grub/net.h
@@ -652,7 +652,7 @@ void
 grub_net_remove_dns_server (const struct grub_net_network_level_address *s);
 
 grub_err_t
-grub_net_search_config_file (char *config);
+grub_net_search_config_file (char *config, grub_size_t config_buf_len);
 
 extern char *grub_net_default_server;
 
-- 
2.48.1