1From 1c7b619c84f229c1602c1958bcd054b6d9937562 Mon Sep 17 00:00:00 2001 2From: Alexey Makhalov <amakhalov@vmware.com> 3Date: Wed, 15 Jul 2020 06:42:37 +0000 4Subject: [PATCH] relocator: Protect grub_relocator_alloc_chunk_addr() 5 input args against integer underflow/overflow 6MIME-Version: 1.0 7Content-Type: text/plain; charset=UTF-8 8Content-Transfer-Encoding: 8bit 9 10Use arithmetic macros from safemath.h to accomplish it. In this commit, 11I didn't want to be too paranoid to check every possible math equation 12for overflow/underflow. Only obvious places (with non zero chance of 13overflow/underflow) were refactored. 14 15Signed-off-by: Alexey Makhalov <amakhalov@vmware.com> 16Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> 17Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com> 18--- 19 grub-core/loader/i386/linux.c | 9 +++++++-- 20 grub-core/loader/i386/pc/linux.c | 9 +++++++-- 21 grub-core/loader/i386/xen.c | 12 ++++++++++-- 22 grub-core/loader/xnu.c | 11 +++++++---- 23 4 files changed, 31 insertions(+), 10 deletions(-) 24 25diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c 26index d0501e229..02a73463a 100644 27--- a/grub-core/loader/i386/linux.c 28+++ b/grub-core/loader/i386/linux.c 29@@ -36,6 +36,7 @@ 30 #include <grub/lib/cmdline.h> 31 #include <grub/linux.h> 32 #include <grub/machine/kernel.h> 33+#include <grub/safemath.h> 34 35 GRUB_MOD_LICENSE ("GPLv3+"); 36 37@@ -547,9 +548,13 @@ grub_linux_boot (void) 38 39 { 40 grub_relocator_chunk_t ch; 41+ grub_size_t sz; 42+ 43+ if (grub_add (ctx.real_size, efi_mmap_size, &sz)) 44+ return GRUB_ERR_OUT_OF_RANGE; 45+ 46 err = grub_relocator_alloc_chunk_addr (relocator, &ch, 47- ctx.real_mode_target, 48- (ctx.real_size + efi_mmap_size)); 49+ ctx.real_mode_target, sz); 50 if (err) 51 return err; 52 real_mode_mem = get_virtual_current_address (ch); 53diff --git a/grub-core/loader/i386/pc/linux.c b/grub-core/loader/i386/pc/linux.c 54index 47ea2945e..31f09922b 100644 55--- a/grub-core/loader/i386/pc/linux.c 56+++ b/grub-core/loader/i386/pc/linux.c 57@@ -35,6 +35,7 @@ 58 #include <grub/i386/floppy.h> 59 #include <grub/lib/cmdline.h> 60 #include <grub/linux.h> 61+#include <grub/safemath.h> 62 63 GRUB_MOD_LICENSE ("GPLv3+"); 64 65@@ -218,8 +219,12 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), 66 setup_sects = GRUB_LINUX_DEFAULT_SETUP_SECTS; 67 68 real_size = setup_sects << GRUB_DISK_SECTOR_BITS; 69- grub_linux16_prot_size = grub_file_size (file) 70- - real_size - GRUB_DISK_SECTOR_SIZE; 71+ if (grub_sub (grub_file_size (file), real_size, &grub_linux16_prot_size) || 72+ grub_sub (grub_linux16_prot_size, GRUB_DISK_SECTOR_SIZE, &grub_linux16_prot_size)) 73+ { 74+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); 75+ goto fail; 76+ } 77 78 if (! grub_linux_is_bzimage 79 && GRUB_LINUX_ZIMAGE_ADDR + grub_linux16_prot_size 80diff --git a/grub-core/loader/i386/xen.c b/grub-core/loader/i386/xen.c 81index 8f662c8ac..cd24874ca 100644 82--- a/grub-core/loader/i386/xen.c 83+++ b/grub-core/loader/i386/xen.c 84@@ -41,6 +41,7 @@ 85 #include <grub/linux.h> 86 #include <grub/i386/memory.h> 87 #include <grub/verify.h> 88+#include <grub/safemath.h> 89 90 GRUB_MOD_LICENSE ("GPLv3+"); 91 92@@ -636,6 +637,7 @@ grub_cmd_xen (grub_command_t cmd __attribute__ ((unused)), 93 grub_relocator_chunk_t ch; 94 grub_addr_t kern_start; 95 grub_addr_t kern_end; 96+ grub_size_t sz; 97 98 if (argc == 0) 99 return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected")); 100@@ -703,8 +705,14 @@ grub_cmd_xen (grub_command_t cmd __attribute__ ((unused)), 101 102 xen_state.max_addr = ALIGN_UP (kern_end, PAGE_SIZE); 103 104- err = grub_relocator_alloc_chunk_addr (xen_state.relocator, &ch, kern_start, 105- kern_end - kern_start); 106+ 107+ if (grub_sub (kern_end, kern_start, &sz)) 108+ { 109+ err = GRUB_ERR_OUT_OF_RANGE; 110+ goto fail; 111+ } 112+ 113+ err = grub_relocator_alloc_chunk_addr (xen_state.relocator, &ch, kern_start, sz); 114 if (err) 115 goto fail; 116 kern_chunk_src = get_virtual_current_address (ch); 117diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c 118index 77d7060e1..9ae4ceb35 100644 119--- a/grub-core/loader/xnu.c 120+++ b/grub-core/loader/xnu.c 121@@ -34,6 +34,7 @@ 122 #include <grub/env.h> 123 #include <grub/i18n.h> 124 #include <grub/verify.h> 125+#include <grub/safemath.h> 126 127 GRUB_MOD_LICENSE ("GPLv3+"); 128 129@@ -59,15 +60,17 @@ grub_xnu_heap_malloc (int size, void **src, grub_addr_t *target) 130 { 131 grub_err_t err; 132 grub_relocator_chunk_t ch; 133+ grub_addr_t tgt; 134+ 135+ if (grub_add (grub_xnu_heap_target_start, grub_xnu_heap_size, &tgt)) 136+ return GRUB_ERR_OUT_OF_RANGE; 137 138- err = grub_relocator_alloc_chunk_addr (grub_xnu_relocator, &ch, 139- grub_xnu_heap_target_start 140- + grub_xnu_heap_size, size); 141+ err = grub_relocator_alloc_chunk_addr (grub_xnu_relocator, &ch, tgt, size); 142 if (err) 143 return err; 144 145 *src = get_virtual_current_address (ch); 146- *target = grub_xnu_heap_target_start + grub_xnu_heap_size; 147+ *target = tgt; 148 grub_xnu_heap_size += size; 149 grub_dprintf ("xnu", "val=%p\n", *src); 150 return GRUB_ERR_NONE; 151-- 1522.26.2 153 154