From fd945966dc04c01765dcf129d8884f0b22991e74 Mon Sep 17 00:00:00 2001 From: Jonathan Bar Or Date: Thu, 23 Jan 2025 19:17:05 +0100 Subject: [PATCH 16/20] commands/read: Fix an integer overflow when supplying more than 2^31 characters The grub_getline() function currently has a signed integer variable "i" that can be overflown when user supplies more than 2^31 characters. It results in a memory corruption of the allocated line buffer as well as supplying large negative values to grub_realloc(). Fixes: CVE-2025-0690 Reported-by: Jonathan Bar Or Signed-off-by: Jonathan Bar Or Reviewed-by: Daniel Kiper --- grub-core/commands/read.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/grub-core/commands/read.c b/grub-core/commands/read.c index 9bbc523f6b..b8597692e2 100644 --- a/grub-core/commands/read.c +++ b/grub-core/commands/read.c @@ -26,6 +26,7 @@ #include #include #include +#include GRUB_MOD_LICENSE ("GPLv3+"); @@ -38,13 +39,14 @@ static const struct grub_arg_option options[] = static char * grub_getline (int silent) { - int i; + grub_size_t i; char *line; char *tmp; int c; + grub_size_t alloc_size; i = 0; - line = grub_malloc (1 + i + sizeof('\0')); + line = grub_malloc (1 + sizeof('\0')); if (! line) return NULL; @@ -60,8 +62,17 @@ grub_getline (int silent) line[i] = (char) c; if (!silent) grub_printf ("%c", c); - i++; - tmp = grub_realloc (line, 1 + i + sizeof('\0')); + if (grub_add (i, 1, &i)) + { + grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); + return NULL; + } + if (grub_add (i, 1 + sizeof('\0'), &alloc_size)) + { + grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); + return NULL; + } + tmp = grub_realloc (line, alloc_size); if (! tmp) { grub_free (line); -- 2.48.1