Эхлэл Бүгдийг харах Тусламж
Нэвтрэх
PUBLIC_REPOS
/
buildroot
-ын хуулбар git://git.buildroot.net/buildroot
2
1
Салаа 0
Файлууд
Мод: ded3e0045a
Салаанууд Тагууд
buildroot
/
boot
/
grub2
/
0023-script-execute-Limit-the-recursion-depth.patch

0023-script-execute-Limit-the-recursion-depth.patch 2.0 KB
Түүх Анхны өгөгдөл

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960 
  1. From 2a094a7116c56519a42a13c96e77bdeda6069076 Mon Sep 17 00:00:00 2001
    2. 

  2. From: B Horn <b@horn.uk>
    3. 

  3. Date: Thu, 18 Apr 2024 19:04:13 +0100
    4. 

  4. Subject: [PATCH] script/execute: Limit the recursion depth
    5. 

  5. 

  6. If unbounded recursion is allowed it becomes possible to collide the
    7. 

  7. stack with the heap. As UEFI firmware often lacks guard pages this
    8. 

  8. becomes an exploitable issue as it is possible in some cases to do
    9. 

  9. a controlled overwrite of a section of this heap region with
    10. 

  10. arbitrary data.
    11. 

  11. 

  12. Reported-by: B Horn <b@horn.uk>
    13. 

  13. Signed-off-by: B Horn <b@horn.uk>
    14. 

  14. Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
    15. 

  15. Upstream: d8a937ccae5c6d86dc4375698afca5cefdcd01e1
    16. 

  16. Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
    17. 

  17. ---
    18. 

  18.  grub-core/script/execute.c | 14 ++++++++++++++
    19. 

  19.  1 file changed, 14 insertions(+)
    20. 

  20. 

  21. diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c
    22. 

  22. index 14ff09094..e1450f45d 100644
    23. 

  23. --- a/grub-core/script/execute.c
    24. 

  24. +++ b/grub-core/script/execute.c
    25. 

  25. @@ -33,10 +33,18 @@
    26. 

  26.     is sizeof (int) * 3, and one extra for a possible -ve sign.  */
    27. 

  27.  #define ERRNO_DIGITS_MAX  (sizeof (int) * 3 + 1)
    28. 

  28.  
    29. 

  29. +/*
    30. 

  30. + * A limit on recursion, to avoid colliding with the heap. UEFI defines a baseline
    31. 

  31. + * stack size of 128 KiB. So, assuming at most 1-2 KiB per iteration this should
    32. 

  32. + * keep us safe.
    33. 

  33. + */
    34. 

  34. +#define MAX_RECURSION_DEPTH 64
    35. 

  35. +
    36. 

  36.  static unsigned long is_continue;
    37. 

  37.  static unsigned long active_loops;
    38. 

  38.  static unsigned long active_breaks;
    39. 

  39.  static unsigned long function_return;
    40. 

  40. +static unsigned long recursion_depth;
    41. 

  41.  
    42. 

  42.  #define GRUB_SCRIPT_SCOPE_MALLOCED      1
    43. 

  43.  #define GRUB_SCRIPT_SCOPE_ARGS_MALLOCED 2
    44. 

  44. @@ -816,7 +824,13 @@ grub_script_execute_cmd (struct grub_script_cmd *cmd)
    45. 

  45.    if (cmd == 0)
    46. 

  46.      return 0;
    47. 

  47.  
    48. 

  48. +  recursion_depth++;
    49. 

  49. +
    50. 

  50. +  if (recursion_depth >= MAX_RECURSION_DEPTH)
    51. 

  51. +    return grub_error (GRUB_ERR_RECURSION_DEPTH, N_("maximum recursion depth exceeded"));
    52. 

  52. +
    53. 

  53.    ret = cmd->exec (cmd);
    54. 

  54. +  recursion_depth--;
    55. 

  55.  
    56. 

  56.    grub_snprintf (errnobuf, sizeof (errnobuf), "%d", ret);
    57. 

  57.    grub_env_set ("?", errnobuf);
    58. 

  58. -- 
    59. 

  59. 2.50.1
    60. 

  60.