| 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758 |
- From dfe673e457e9eb5c7c0c68d8385ba176476de7d7 Mon Sep 17 00:00:00 2001
- From: Lidong Chen <lidong.chen@oracle.com>
- Date: Fri, 22 Nov 2024 06:27:57 +0000
- Subject: [PATCH] gettext: Integer overflow leads to heap OOB write
- The size calculation of the translation buffer in
- grub_gettext_getstr_from_position() may overflow
- to 0 leading to heap OOB write. This patch fixes
- the issue by using grub_add() and checking for
- an overflow.
- Fixes: CVE-2024-45777
- Reported-by: Nils Langius <nils@langius.de>
- Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
- Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
- Reviewed-by: Alec Brown <alec.r.brown@oracle.com>
- Upstream: b970a5ed967816bbca8225994cd0ee2557bad515
- Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
- ---
- grub-core/gettext/gettext.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
- diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c
- index 63bb1ab73..9ffc73428 100644
- --- a/grub-core/gettext/gettext.c
- +++ b/grub-core/gettext/gettext.c
- @@ -26,6 +26,7 @@
- #include <grub/file.h>
- #include <grub/kernel.h>
- #include <grub/i18n.h>
- +#include <grub/safemath.h>
-
- GRUB_MOD_LICENSE ("GPLv3+");
-
- @@ -99,6 +100,7 @@ grub_gettext_getstr_from_position (struct grub_gettext_context *ctx,
- char *translation;
- struct string_descriptor desc;
- grub_err_t err;
- + grub_size_t alloc_sz;
-
- internal_position = (off + position * sizeof (desc));
-
- @@ -109,7 +111,10 @@ grub_gettext_getstr_from_position (struct grub_gettext_context *ctx,
- length = grub_cpu_to_le32 (desc.length);
- offset = grub_cpu_to_le32 (desc.offset);
-
- - translation = grub_malloc (length + 1);
- + if (grub_add (length, 1, &alloc_sz))
- + return NULL;
- +
- + translation = grub_malloc (alloc_sz);
- if (!translation)
- return NULL;
-
- --
- 2.50.1
|
