boot/grub2/0021-hfsplus-Fix-two-more-overflows.patch - buildroot - Git at Google

 From feec993673d8e13fcf22fe2389ac29222b6daebd Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Sun, 19 Jul 2020 14:43:31 -0400
 Subject: [PATCH] hfsplus: Fix two more overflows
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit

 Both node->size and node->namelen come from the supplied filesystem,
 which may be user-supplied. We can't trust them for the math unless we
 know they don't overflow. Making sure they go through grub_add() or
 grub_calloc() first will give us that.

 Signed-off-by: Peter Jones <pjones@redhat.com>
 Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
 Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
 Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
 ---
  grub-core/fs/hfsplus.c | 11 ++++++++---
  1 file changed, 8 insertions(+), 3 deletions(-)

 diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c
 index dae43becc..9c4e4c88c 100644
 --- a/grub-core/fs/hfsplus.c
 +++ b/grub-core/fs/hfsplus.c
 @@ -31,6 +31,7 @@
  #include <grub/hfs.h>
  #include <grub/charset.h>
  #include <grub/hfsplus.h>
 +#include <grub/safemath.h>

  GRUB_MOD_LICENSE ("GPLv3+");

 @@ -475,8 +476,12 @@ grub_hfsplus_read_symlink (grub_fshelp_node_t node)
  {
    char *symlink;
    grub_ssize_t numread;
 +  grub_size_t sz = node->size;

 -  symlink = grub_malloc (node->size + 1);
 +  if (grub_add (sz, 1, &sz))
 +    return NULL;
 +
 +  symlink = grub_malloc (sz);
    if (!symlink)
      return 0;

 @@ -715,8 +720,8 @@ list_nodes (void *record, void *hook_arg)
    if (type == GRUB_FSHELP_UNKNOWN)
      return 0;

 -  filename = grub_malloc (grub_be_to_cpu16 (catkey->namelen)
 -			  * GRUB_MAX_UTF8_PER_UTF16 + 1);
 +  filename = grub_calloc (grub_be_to_cpu16 (catkey->namelen),
 +			  GRUB_MAX_UTF8_PER_UTF16 + 1);
    if (! filename)
      return 0;

 --
 2.26.2
	From feec993673d8e13fcf22fe2389ac29222b6daebd Mon Sep 17 00:00:00 2001
	From: Peter Jones <pjones@redhat.com>
	Date: Sun, 19 Jul 2020 14:43:31 -0400
	Subject: [PATCH] hfsplus: Fix two more overflows
	MIME-Version: 1.0
	Content-Type: text/plain; charset=UTF-8
	Content-Transfer-Encoding: 8bit

	Both node->size and node->namelen come from the supplied filesystem,
	which may be user-supplied. We can't trust them for the math unless we
	know they don't overflow. Making sure they go through grub_add() or
	grub_calloc() first will give us that.

	Signed-off-by: Peter Jones <pjones@redhat.com>
	Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
	Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
	---
	grub-core/fs/hfsplus.c \| 11 ++++++++---
	1 file changed, 8 insertions(+), 3 deletions(-)

	diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c
	index dae43becc..9c4e4c88c 100644
	--- a/grub-core/fs/hfsplus.c
	+++ b/grub-core/fs/hfsplus.c
	@@ -31,6 +31,7 @@
	#include <grub/hfs.h>
	#include <grub/charset.h>
	#include <grub/hfsplus.h>
	+#include <grub/safemath.h>

	GRUB_MOD_LICENSE ("GPLv3+");

	@@ -475,8 +476,12 @@ grub_hfsplus_read_symlink (grub_fshelp_node_t node)
	{
	char *symlink;
	grub_ssize_t numread;
	+ grub_size_t sz = node->size;

	- symlink = grub_malloc (node->size + 1);
	+ if (grub_add (sz, 1, &sz))
	+ return NULL;
	+
	+ symlink = grub_malloc (sz);
	if (!symlink)
	return 0;

	@@ -715,8 +720,8 @@ list_nodes (void record, void hook_arg)
	if (type == GRUB_FSHELP_UNKNOWN)
	return 0;

	- filename = grub_malloc (grub_be_to_cpu16 (catkey->namelen)
	- * GRUB_MAX_UTF8_PER_UTF16 + 1);
	+ filename = grub_calloc (grub_be_to_cpu16 (catkey->namelen),
	+ GRUB_MAX_UTF8_PER_UTF16 + 1);
	if (! filename)
	return 0;

	--
	2.26.2