Kezdőlap Felfedezés Súgó
Bejelentkezés
PUBLIC_REPOS
/
buildroot
tükrözi: git://git.buildroot.net/buildroot
2
1
Másolás 0
Fájlok
Fa: ded3e0045a
Branch-ok Tag-ek
buildroot
/
boot
/
grub2
/
0029-kern-dl-Fix-for-an-integer-overflow-in-grub_dl_ref.patch

0029-kern-dl-Fix-for-an-integer-overflow-in-grub_dl_ref.patch 4.4 KB
Előzmények Nyers

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143 
  1. From 4d70ddc5255b6d3f752da4120f593d7007222ca2 Mon Sep 17 00:00:00 2001
    2. 

  2. From: B Horn <b@horn.uk>
    3. 

  3. Date: Thu, 18 Apr 2024 15:59:26 +0100
    4. 

  4. Subject: [PATCH] kern/dl: Fix for an integer overflow in grub_dl_ref()
    5. 

  5. 

  6. It was possible to overflow the value of mod->ref_count, a signed
    7. 

  7. integer, by repeatedly invoking insmod on an already loaded module.
    8. 

  8. This led to a use-after-free. As once ref_count was overflowed it became
    9. 

  9. possible to unload the module while there was still references to it.
    10. 

  10. 

  11. This resolves the issue by using grub_add() to check if the ref_count
    12. 

  12. will overflow and then stops further increments. Further changes were
    13. 

  13. also made to grub_dl_unref() to check for the underflow condition and
    14. 

  14. the reference count was changed to an unsigned 64-bit integer.
    15. 

  15. 

  16. Reported-by: B Horn <b@horn.uk>
    17. 

  17. Signed-off-by: B Horn <b@horn.uk>
    18. 

  18. Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
    19. 

  19. Upstream: 500e5fdd82ca40412b0b73f5e5dda38e4a3af96d
    20. 

  20. Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
    21. 

  21. ---
    22. 

  22.  grub-core/commands/minicmd.c |  2 +-
    23. 

  23.  grub-core/kern/dl.c          | 17 ++++++++++++-----
    24. 

  24.  include/grub/dl.h            |  8 ++++----
    25. 

  25.  util/misc.c                  |  4 ++--
    26. 

  26.  4 files changed, 19 insertions(+), 12 deletions(-)
    27. 

  27. 

  28. diff --git a/grub-core/commands/minicmd.c b/grub-core/commands/minicmd.c
    29. 

  29. index fa498931e..286290866 100644
    30. 

  30. --- a/grub-core/commands/minicmd.c
    31. 

  31. +++ b/grub-core/commands/minicmd.c
    32. 

  32. @@ -167,7 +167,7 @@ grub_mini_cmd_lsmod (struct grub_command *cmd __attribute__ ((unused)),
    33. 

  33.    {
    34. 

  34.      grub_dl_dep_t dep;
    35. 

  35.  
    36. 

  36. -    grub_printf ("%s\t%d\t\t", mod->name, mod->ref_count);
    37. 

  37. +    grub_printf ("%s\t%" PRIuGRUB_UINT64_T "\t\t", mod->name, mod->ref_count);
    38. 

  38.      for (dep = mod->dep; dep; dep = dep->next)
    39. 

  39.        {
    40. 

  40.  	if (dep != mod->dep)
    41. 

  41. diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c
    42. 

  42. index 0bf40caa6..1a38742e6 100644
    43. 

  43. --- a/grub-core/kern/dl.c
    44. 

  44. +++ b/grub-core/kern/dl.c
    45. 

  45. @@ -32,6 +32,7 @@
    46. 

  46.  #include <grub/env.h>
    47. 

  47.  #include <grub/cache.h>
    48. 

  48.  #include <grub/i18n.h>
    49. 

  49. +#include <grub/safemath.h>
    50. 

  50.  
    51. 

  51.  /* Platforms where modules are in a readonly area of memory.  */
    52. 

  52.  #if defined(GRUB_MACHINE_QEMU)
    53. 

  53. @@ -532,7 +533,7 @@ grub_dl_resolve_dependencies (grub_dl_t mod, Elf_Ehdr *e)
    54. 

  54.    return GRUB_ERR_NONE;
    55. 

  55.  }
    56. 

  56.  
    57. 

  57. -int
    58. 

  58. +grub_uint64_t
    59. 

  59.  grub_dl_ref (grub_dl_t mod)
    60. 

  60.  {
    61. 

  61.    grub_dl_dep_t dep;
    62. 

  62. @@ -543,10 +544,13 @@ grub_dl_ref (grub_dl_t mod)
    63. 

  63.    for (dep = mod->dep; dep; dep = dep->next)
    64. 

  64.      grub_dl_ref (dep->mod);
    65. 

  65.  
    66. 

  66. -  return ++mod->ref_count;
    67. 

  67. +  if (grub_add (mod->ref_count, 1, &mod->ref_count))
    68. 

  68. +    grub_fatal ("Module reference count overflow");
    69. 

  69. +
    70. 

  70. +  return mod->ref_count;
    71. 

  71.  }
    72. 

  72.  
    73. 

  73. -int
    74. 

  74. +grub_uint64_t
    75. 

  75.  grub_dl_unref (grub_dl_t mod)
    76. 

  76.  {
    77. 

  77.    grub_dl_dep_t dep;
    78. 

  78. @@ -557,10 +561,13 @@ grub_dl_unref (grub_dl_t mod)
    79. 

  79.    for (dep = mod->dep; dep; dep = dep->next)
    80. 

  80.      grub_dl_unref (dep->mod);
    81. 

  81.  
    82. 

  82. -  return --mod->ref_count;
    83. 

  83. +  if (grub_sub (mod->ref_count, 1, &mod->ref_count))
    84. 

  84. +    grub_fatal ("Module reference count underflow");
    85. 

  85. +
    86. 

  86. +  return mod->ref_count;
    87. 

  87.  }
    88. 

  88.  
    89. 

  89. -int
    90. 

  90. +grub_uint64_t
    91. 

  91.  grub_dl_ref_count (grub_dl_t mod)
    92. 

  92.  {
    93. 

  93.    if (mod == NULL)
    94. 

  94. diff --git a/include/grub/dl.h b/include/grub/dl.h
    95. 

  95. index cd1f46c8b..f0a94e273 100644
    96. 

  96. --- a/include/grub/dl.h
    97. 

  97. +++ b/include/grub/dl.h
    98. 

  98. @@ -174,7 +174,7 @@ typedef struct grub_dl_dep *grub_dl_dep_t;
    99. 

  99.  struct grub_dl
    100. 

  100.  {
    101. 

  101.    char *name;
    102. 

  102. -  int ref_count;
    103. 

  103. +  grub_uint64_t ref_count;
    104. 

  104.    int persistent;
    105. 

  105.    grub_dl_dep_t dep;
    106. 

  106.    grub_dl_segment_t segment;
    107. 

  107. @@ -203,9 +203,9 @@ grub_dl_t EXPORT_FUNC(grub_dl_load) (const char *name);
    108. 

  108.  grub_dl_t grub_dl_load_core (void *addr, grub_size_t size);
    109. 

  109.  grub_dl_t EXPORT_FUNC(grub_dl_load_core_noinit) (void *addr, grub_size_t size);
    110. 

  110.  int EXPORT_FUNC(grub_dl_unload) (grub_dl_t mod);
    111. 

  111. -extern int EXPORT_FUNC(grub_dl_ref) (grub_dl_t mod);
    112. 

  112. -extern int EXPORT_FUNC(grub_dl_unref) (grub_dl_t mod);
    113. 

  113. -extern int EXPORT_FUNC(grub_dl_ref_count) (grub_dl_t mod);
    114. 

  114. +extern grub_uint64_t EXPORT_FUNC(grub_dl_ref) (grub_dl_t mod);
    115. 

  115. +extern grub_uint64_t EXPORT_FUNC(grub_dl_unref) (grub_dl_t mod);
    116. 

  116. +extern grub_uint64_t EXPORT_FUNC(grub_dl_ref_count) (grub_dl_t mod);
    117. 

  117.  
    118. 

  118.  extern grub_dl_t EXPORT_VAR(grub_dl_head);
    119. 

  119.  
    120. 

  120. diff --git a/util/misc.c b/util/misc.c
    121. 

  121. index d545212d9..0f928e5b4 100644
    122. 

  122. --- a/util/misc.c
    123. 

  123. +++ b/util/misc.c
    124. 

  124. @@ -190,14 +190,14 @@ grub_xputs_real (const char *str)
    125. 

  125.  
    126. 

  126.  void (*grub_xputs) (const char *str) = grub_xputs_real;
    127. 

  127.  
    128. 

  128. -int
    129. 

  129. +grub_uint64_t
    130. 

  130.  grub_dl_ref (grub_dl_t mod)
    131. 

  131.  {
    132. 

  132.    (void) mod;
    133. 

  133.    return 0;
    134. 

  134.  }
    135. 

  135.  
    136. 

  136. -int
    137. 

  137. +grub_uint64_t
    138. 

  138.  grub_dl_unref (grub_dl_t mod)
    139. 

  139.  {
    140. 

  140.    (void) mod;
    141. 

  141. -- 
    142. 

  142. 2.50.1
    143. 

  143.