1f5e046570
- Fix for CVE-2020-10713 (bsc#1168994) * 0001-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch - Fix for CVE-2020-14308 CVE-2020-14309, CVE-2020-14310, CVE-2020-14311 (bsc#1173812) * 0002-safemath-Add-some-arithmetic-primitives-that-check-f.patch * 0003-calloc-Make-sure-we-always-have-an-overflow-checking.patch * 0004-calloc-Use-calloc-at-most-places.patch * 0005-malloc-Use-overflow-checking-primitives-where-we-do-.patch * 0006-iso9660-Don-t-leak-memory-on-realloc-failures.patch * 0007-font-Do-not-load-more-than-one-NAME-section.patch - Fix CVE-2020-15706 (bsc#1174463) * 0008-script-Remove-unused-fields-from-grub_script_functio.patch * 0009-script-Avoid-a-use-after-free-when-redefining-a-func.patch - Fix CVE-2020-15707 (bsc#1174570) * 0010-linux-Fix-integer-overflows-in-initrd-size-handling.patch - Use overflow checking primitives where the arithmetic expression for buffer allocations may include unvalidated data - Use grub_calloc for overflow check and return NULL when it would occur * 0001-add-support-for-UEFI-network-protocols.patch * 0003-bootp-New-net_bootp6-command.patch * grub2-btrfs-01-add-ability-to-boot-from-subvolumes.patch * grub2-btrfs-09-get-default-subvolume.patch * grub2-gfxmenu-support-scrolling-menu-entry-s-text.patch * grub2-grubenv-in-btrfs-header.patch OBS-URL: https://build.opensuse.org/request/show/823469 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=358
68 lines
2.5 KiB
Diff
68 lines
2.5 KiB
Diff
From a948ac01744f3490fa5af4b38039f7dade68bb3e Mon Sep 17 00:00:00 2001
|
|
From: Peter Jones <pjones@redhat.com>
|
|
Date: Wed, 15 Apr 2020 15:45:02 -0400
|
|
Subject: [PATCH EMBARGOED CVE-2020-10713] yylex: Make lexer fatal errors
|
|
actually be fatal
|
|
|
|
When presented with a command that can't be tokenized to anything
|
|
smaller than YYLMAX characters, the parser calls YY_FATAL_ERROR(errmsg),
|
|
expecting that will stop further processing, as such:
|
|
|
|
#define YY_DO_BEFORE_ACTION \
|
|
yyg->yytext_ptr = yy_bp; \
|
|
yyleng = (int) (yy_cp - yy_bp); \
|
|
yyg->yy_hold_char = *yy_cp; \
|
|
*yy_cp = '\0'; \
|
|
if ( yyleng >= YYLMAX ) \
|
|
YY_FATAL_ERROR( "token too large, exceeds YYLMAX" ); \
|
|
yy_flex_strncpy( yytext, yyg->yytext_ptr, yyleng + 1 , yyscanner); \
|
|
yyg->yy_c_buf_p = yy_cp;
|
|
|
|
The code flex generates expects that YY_FATAL_ERROR() will either return
|
|
for it or do some form of longjmp(), or handle the error in some way at
|
|
least, and so the strncpy() call isn't in an "else" clause, and thus if
|
|
YY_FATAL_ERROR() is *not* actually fatal, it does the call with the
|
|
questionable limit, and predictable results ensue.
|
|
|
|
Unfortunately, our implementation of YY_FATAL_ERROR() is:
|
|
|
|
#define YY_FATAL_ERROR(msg) \
|
|
do { \
|
|
grub_printf (_("fatal error: %s\n"), _(msg)); \
|
|
} while (0)
|
|
|
|
The same pattern exists in yyless(), and similar problems exist in users
|
|
of YY_INPUT(), several places in the main parsing loop,
|
|
yy_get_next_buffer(), yy_load_buffer_state(), yyensure_buffer_stack,
|
|
yy_scan_buffer(), etc.
|
|
|
|
All of these callers expect YY_FATAL_ERROR() to actually be fatal, and
|
|
the things they do if it returns after calling it are wildly unsafe.
|
|
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
---
|
|
grub-core/script/yylex.l | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/grub-core/script/yylex.l b/grub-core/script/yylex.l
|
|
index 7b44c37b7..b7203c823 100644
|
|
--- a/grub-core/script/yylex.l
|
|
+++ b/grub-core/script/yylex.l
|
|
@@ -37,11 +37,11 @@
|
|
|
|
/*
|
|
* As we don't have access to yyscanner, we cannot do much except to
|
|
- * print the fatal error.
|
|
+ * print the fatal error and exit.
|
|
*/
|
|
#define YY_FATAL_ERROR(msg) \
|
|
do { \
|
|
- grub_printf (_("fatal error: %s\n"), _(msg)); \
|
|
+ grub_fatal (_("fatal error: %s\n"), _(msg));\
|
|
} while (0)
|
|
|
|
#define COPY(str, hint) \
|
|
--
|
|
2.11.0
|