8e2eae8e3f
- Security fixes for 2024 * 0001-misc-Implement-grub_strlcpy.patch - Fix CVE-2024-45781 (bsc#1233617) * 0002-fs-ufs-Fix-a-heap-OOB-write.patch - Fix CVE-2024-56737 (bsc#1234958) - Fix CVE-2024-45782 (bsc#1233615) * 0003-fs-hfs-Fix-stack-OOB-write-with-grub_strcpy.patch - Fix CVE-2024-45780 (bsc#1233614) * 0004-fs-tar-Integer-overflow-leads-to-heap-OOB-write.patch - Fix CVE-2024-45783 (bsc#1233616) * 0005-fs-hfsplus-Set-a-grub_errno-if-mount-fails.patch * 0006-kern-file-Ensure-file-data-is-set.patch * 0007-kern-file-Implement-filesystem-reference-counting.patch - Fix CVE-2025-0624 (bsc#1236316) * 0008-net-Fix-OOB-write-in-grub_net_search_config_file.patch - Fix CVE-2024-45774 (bsc#1233609) * 0009-video-readers-jpeg-Do-not-permit-duplicate-SOF0-mark.patch - Fix CVE-2024-45775 (bsc#1233610) * 0010-commands-extcmd-Missing-check-for-failed-allocation.patch - Fix CVE-2025-0622 (bsc#1236317) * 0011-commands-pgp-Unregister-the-check_signatures-hooks-o.patch - Fix CVE-2025-0622 (bsc#1236317) * 0012-normal-Remove-variables-hooks-on-module-unload.patch - Fix CVE-2025-0622 (bsc#1236317) * 0013-gettext-Remove-variables-hooks-on-module-unload.patch - Fix CVE-2024-45776 (bsc#1233612) * 0014-gettext-Integer-overflow-leads-to-heap-OOB-write-or-.patch - Fix CVE-2024-45777 (bsc#1233613) * 0015-gettext-Integer-overflow-leads-to-heap-OOB-write.patch - Fix CVE-2025-0690 (bsc#1237012) OBS-URL: https://build.opensuse.org/request/show/1246819 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=528
57 lines
1.7 KiB
Diff
57 lines
1.7 KiB
Diff
From 1f8d74717d2bebd1206143c1acbf720be9097011 Mon Sep 17 00:00:00 2001
|
|
From: Lidong Chen <lidong.chen@oracle.com>
|
|
Date: Fri, 22 Nov 2024 06:27:57 +0000
|
|
Subject: [PATCH 15/20] gettext: Integer overflow leads to heap OOB write
|
|
|
|
The size calculation of the translation buffer in
|
|
grub_gettext_getstr_from_position() may overflow
|
|
to 0 leading to heap OOB write. This patch fixes
|
|
the issue by using grub_add() and checking for
|
|
an overflow.
|
|
|
|
Fixes: CVE-2024-45777
|
|
|
|
Reported-by: Nils Langius <nils@langius.de>
|
|
Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
|
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
Reviewed-by: Alec Brown <alec.r.brown@oracle.com>
|
|
---
|
|
grub-core/gettext/gettext.c | 7 ++++++-
|
|
1 file changed, 6 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c
|
|
index 63bb1ab73f..9ffc734284 100644
|
|
--- a/grub-core/gettext/gettext.c
|
|
+++ b/grub-core/gettext/gettext.c
|
|
@@ -26,6 +26,7 @@
|
|
#include <grub/file.h>
|
|
#include <grub/kernel.h>
|
|
#include <grub/i18n.h>
|
|
+#include <grub/safemath.h>
|
|
|
|
GRUB_MOD_LICENSE ("GPLv3+");
|
|
|
|
@@ -99,6 +100,7 @@ grub_gettext_getstr_from_position (struct grub_gettext_context *ctx,
|
|
char *translation;
|
|
struct string_descriptor desc;
|
|
grub_err_t err;
|
|
+ grub_size_t alloc_sz;
|
|
|
|
internal_position = (off + position * sizeof (desc));
|
|
|
|
@@ -109,7 +111,10 @@ grub_gettext_getstr_from_position (struct grub_gettext_context *ctx,
|
|
length = grub_cpu_to_le32 (desc.length);
|
|
offset = grub_cpu_to_le32 (desc.offset);
|
|
|
|
- translation = grub_malloc (length + 1);
|
|
+ if (grub_add (length, 1, &alloc_sz))
|
|
+ return NULL;
|
|
+
|
|
+ translation = grub_malloc (alloc_sz);
|
|
if (!translation)
|
|
return NULL;
|
|
|
|
--
|
|
2.48.1
|
|
|