forked from pool/grub2
1f5e046570
- Fix for CVE-2020-10713 (bsc#1168994) * 0001-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch - Fix for CVE-2020-14308 CVE-2020-14309, CVE-2020-14310, CVE-2020-14311 (bsc#1173812) * 0002-safemath-Add-some-arithmetic-primitives-that-check-f.patch * 0003-calloc-Make-sure-we-always-have-an-overflow-checking.patch * 0004-calloc-Use-calloc-at-most-places.patch * 0005-malloc-Use-overflow-checking-primitives-where-we-do-.patch * 0006-iso9660-Don-t-leak-memory-on-realloc-failures.patch * 0007-font-Do-not-load-more-than-one-NAME-section.patch - Fix CVE-2020-15706 (bsc#1174463) * 0008-script-Remove-unused-fields-from-grub_script_functio.patch * 0009-script-Avoid-a-use-after-free-when-redefining-a-func.patch - Fix CVE-2020-15707 (bsc#1174570) * 0010-linux-Fix-integer-overflows-in-initrd-size-handling.patch - Use overflow checking primitives where the arithmetic expression for buffer allocations may include unvalidated data - Use grub_calloc for overflow check and return NULL when it would occur * 0001-add-support-for-UEFI-network-protocols.patch * 0003-bootp-New-net_bootp6-command.patch * grub2-btrfs-01-add-ability-to-boot-from-subvolumes.patch * grub2-btrfs-09-get-default-subvolume.patch * grub2-gfxmenu-support-scrolling-menu-entry-s-text.patch * grub2-grubenv-in-btrfs-header.patch OBS-URL: https://build.opensuse.org/request/show/823469 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=358
108 lines
3.5 KiB
Diff
108 lines
3.5 KiB
Diff
From 809f3a26897f5f648325c5741e72dc1b3db828ee Mon Sep 17 00:00:00 2001
|
|
From: Chris Coulson <chris.coulson@canonical.com>
|
|
Date: Fri, 10 Jul 2020 14:41:45 +0100
|
|
Subject: [PATCH 19/27] script: Avoid a use-after-free when redefining a
|
|
function during execution
|
|
|
|
Defining a new function with the same name as a previously defined
|
|
function causes the grub_script and associated resources for the
|
|
previous function to be freed. If the previous function is currently
|
|
executing when a function with the same name is defined, this results
|
|
in use-after-frees when processing subsequent commands in the original
|
|
function.
|
|
|
|
Instead, reject a new function definition if it has the same name as
|
|
a previously defined function, and that function is currently being
|
|
executed. Although a behavioural change, this should be backwards
|
|
compatible with existing configurations because they can't be
|
|
dependent on the current behaviour without being broken.
|
|
|
|
Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
|
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
---
|
|
grub-core/script/execute.c | 2 ++
|
|
grub-core/script/function.c | 16 +++++++++++++---
|
|
grub-core/script/parser.y | 3 ++-
|
|
include/grub/script_sh.h | 2 ++
|
|
4 files changed, 19 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c
|
|
index 8a9161cc8..ce83edd4b 100644
|
|
--- a/grub-core/script/execute.c
|
|
+++ b/grub-core/script/execute.c
|
|
@@ -838,7 +838,9 @@ grub_script_function_call (grub_script_function_t func, int argc, char **args)
|
|
old_scope = scope;
|
|
scope = &new_scope;
|
|
|
|
+ func->executing++;
|
|
ret = grub_script_execute (func->func);
|
|
+ func->executing--;
|
|
|
|
function_return = 0;
|
|
active_loops = loops;
|
|
diff --git a/grub-core/script/function.c b/grub-core/script/function.c
|
|
index d36655e51..3aad04bf9 100644
|
|
--- a/grub-core/script/function.c
|
|
+++ b/grub-core/script/function.c
|
|
@@ -34,6 +34,7 @@ grub_script_function_create (struct grub_script_arg *functionname_arg,
|
|
func = (grub_script_function_t) grub_malloc (sizeof (*func));
|
|
if (! func)
|
|
return 0;
|
|
+ func->executing = 0;
|
|
|
|
func->name = grub_strdup (functionname_arg->str);
|
|
if (! func->name)
|
|
@@ -60,10 +61,19 @@ grub_script_function_create (struct grub_script_arg *functionname_arg,
|
|
grub_script_function_t q;
|
|
|
|
q = *p;
|
|
- grub_script_free (q->func);
|
|
- q->func = cmd;
|
|
grub_free (func);
|
|
- func = q;
|
|
+ if (q->executing > 0)
|
|
+ {
|
|
+ grub_error (GRUB_ERR_BAD_ARGUMENT,
|
|
+ N_("attempt to redefine a function being executed"));
|
|
+ func = NULL;
|
|
+ }
|
|
+ else
|
|
+ {
|
|
+ grub_script_free (q->func);
|
|
+ q->func = cmd;
|
|
+ func = q;
|
|
+ }
|
|
}
|
|
else
|
|
{
|
|
diff --git a/grub-core/script/parser.y b/grub-core/script/parser.y
|
|
index 4f0ab8319..f80b86b6f 100644
|
|
--- a/grub-core/script/parser.y
|
|
+++ b/grub-core/script/parser.y
|
|
@@ -289,7 +289,8 @@ function: "function" "name"
|
|
grub_script_mem_free (state->func_mem);
|
|
else {
|
|
script->children = state->scripts;
|
|
- grub_script_function_create ($2, script);
|
|
+ if (!grub_script_function_create ($2, script))
|
|
+ grub_script_free (script);
|
|
}
|
|
|
|
state->scripts = $<scripts>3;
|
|
diff --git a/include/grub/script_sh.h b/include/grub/script_sh.h
|
|
index b382bcf09..6c48e0751 100644
|
|
--- a/include/grub/script_sh.h
|
|
+++ b/include/grub/script_sh.h
|
|
@@ -361,6 +361,8 @@ struct grub_script_function
|
|
|
|
/* The next element. */
|
|
struct grub_script_function *next;
|
|
+
|
|
+ unsigned executing;
|
|
};
|
|
typedef struct grub_script_function *grub_script_function_t;
|
|
|
|
--
|
|
2.27.0
|
|
|