1From 0cfbbca3ccd84d36ffb1bcd6644ada7c73b19fc0 Mon Sep 17 00:00:00 2001 2From: Alexey Makhalov <amakhalov@vmware.com> 3Date: Wed, 8 Jul 2020 01:44:38 +0000 4Subject: [PATCH] relocator: Protect grub_relocator_alloc_chunk_align() 5 max_addr against integer underflow 6MIME-Version: 1.0 7Content-Type: text/plain; charset=UTF-8 8Content-Transfer-Encoding: 8bit 9 10This commit introduces integer underflow mitigation in max_addr calculation 11in grub_relocator_alloc_chunk_align() invocation. 12 13It consists of 2 fixes: 14 1. Introduced grub_relocator_alloc_chunk_align_safe() wrapper function to perform 15 sanity check for min/max and size values, and to make safe invocation of 16 grub_relocator_alloc_chunk_align() with validated max_addr value. Replace all 17 invocations such as grub_relocator_alloc_chunk_align(..., min_addr, max_addr - size, size, ...) 18 by grub_relocator_alloc_chunk_align_safe(..., min_addr, max_addr, size, ...). 19 2. Introduced UP_TO_TOP32(s) macro for the cases where max_addr is 32-bit top 20 address (0xffffffff - size + 1) or similar. 21 22Signed-off-by: Alexey Makhalov <amakhalov@vmware.com> 23Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> 24Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com> 25--- 26 grub-core/lib/i386/relocator.c | 28 ++++++++++---------------- 27 grub-core/lib/mips/relocator.c | 6 ++---- 28 grub-core/lib/powerpc/relocator.c | 6 ++---- 29 grub-core/lib/x86_64/efi/relocator.c | 7 +++---- 30 grub-core/loader/i386/linux.c | 5 ++--- 31 grub-core/loader/i386/multiboot_mbi.c | 7 +++---- 32 grub-core/loader/i386/pc/linux.c | 6 ++---- 33 grub-core/loader/mips/linux.c | 9 +++------ 34 grub-core/loader/multiboot.c | 2 +- 35 grub-core/loader/multiboot_elfxx.c | 10 ++++----- 36 grub-core/loader/multiboot_mbi2.c | 10 ++++----- 37 grub-core/loader/xnu_resume.c | 2 +- 38 include/grub/relocator.h | 29 +++++++++++++++++++++++++++ 39 13 files changed, 69 insertions(+), 58 deletions(-) 40 41diff --git a/grub-core/lib/i386/relocator.c b/grub-core/lib/i386/relocator.c 42index 71dd4f0ab..34cbe834f 100644 43--- a/grub-core/lib/i386/relocator.c 44+++ b/grub-core/lib/i386/relocator.c 45@@ -83,11 +83,10 @@ grub_relocator32_boot (struct grub_relocator *rel, 46 /* Specific memory range due to Global Descriptor Table for use by payload 47 that we will store in returned chunk. The address range and preference 48 are based on "THE LINUX/x86 BOOT PROTOCOL" specification. */ 49- err = grub_relocator_alloc_chunk_align (rel, &ch, 0x1000, 50- 0x9a000 - RELOCATOR_SIZEOF (32), 51- RELOCATOR_SIZEOF (32), 16, 52- GRUB_RELOCATOR_PREFERENCE_LOW, 53- avoid_efi_bootservices); 54+ err = grub_relocator_alloc_chunk_align_safe (rel, &ch, 0x1000, 0x9a000, 55+ RELOCATOR_SIZEOF (32), 16, 56+ GRUB_RELOCATOR_PREFERENCE_LOW, 57+ avoid_efi_bootservices); 58 if (err) 59 return err; 60 61@@ -125,13 +124,10 @@ grub_relocator16_boot (struct grub_relocator *rel, 62 grub_relocator_chunk_t ch; 63 64 /* Put it higher than the byte it checks for A20 check. */ 65- err = grub_relocator_alloc_chunk_align (rel, &ch, 0x8010, 66- 0xa0000 - RELOCATOR_SIZEOF (16) 67- - GRUB_RELOCATOR16_STACK_SIZE, 68- RELOCATOR_SIZEOF (16) 69- + GRUB_RELOCATOR16_STACK_SIZE, 16, 70- GRUB_RELOCATOR_PREFERENCE_NONE, 71- 0); 72+ err = grub_relocator_alloc_chunk_align_safe (rel, &ch, 0x8010, 0xa0000, 73+ RELOCATOR_SIZEOF (16) + 74+ GRUB_RELOCATOR16_STACK_SIZE, 16, 75+ GRUB_RELOCATOR_PREFERENCE_NONE, 0); 76 if (err) 77 return err; 78 79@@ -183,11 +179,9 @@ grub_relocator64_boot (struct grub_relocator *rel, 80 void *relst; 81 grub_relocator_chunk_t ch; 82 83- err = grub_relocator_alloc_chunk_align (rel, &ch, min_addr, 84- max_addr - RELOCATOR_SIZEOF (64), 85- RELOCATOR_SIZEOF (64), 16, 86- GRUB_RELOCATOR_PREFERENCE_NONE, 87- 0); 88+ err = grub_relocator_alloc_chunk_align_safe (rel, &ch, min_addr, max_addr, 89+ RELOCATOR_SIZEOF (64), 16, 90+ GRUB_RELOCATOR_PREFERENCE_NONE, 0); 91 if (err) 92 return err; 93 94diff --git a/grub-core/lib/mips/relocator.c b/grub-core/lib/mips/relocator.c 95index 9d5f49cb9..743b213e6 100644 96--- a/grub-core/lib/mips/relocator.c 97+++ b/grub-core/lib/mips/relocator.c 98@@ -120,10 +120,8 @@ grub_relocator32_boot (struct grub_relocator *rel, 99 unsigned i; 100 grub_addr_t vtarget; 101 102- err = grub_relocator_alloc_chunk_align (rel, &ch, 0, 103- (0xffffffff - stateset_size) 104- + 1, stateset_size, 105- sizeof (grub_uint32_t), 106+ err = grub_relocator_alloc_chunk_align (rel, &ch, 0, UP_TO_TOP32 (stateset_size), 107+ stateset_size, sizeof (grub_uint32_t), 108 GRUB_RELOCATOR_PREFERENCE_NONE, 0); 109 if (err) 110 return err; 111diff --git a/grub-core/lib/powerpc/relocator.c b/grub-core/lib/powerpc/relocator.c 112index bdf2b111b..8ffb8b686 100644 113--- a/grub-core/lib/powerpc/relocator.c 114+++ b/grub-core/lib/powerpc/relocator.c 115@@ -115,10 +115,8 @@ grub_relocator32_boot (struct grub_relocator *rel, 116 unsigned i; 117 grub_relocator_chunk_t ch; 118 119- err = grub_relocator_alloc_chunk_align (rel, &ch, 0, 120- (0xffffffff - stateset_size) 121- + 1, stateset_size, 122- sizeof (grub_uint32_t), 123+ err = grub_relocator_alloc_chunk_align (rel, &ch, 0, UP_TO_TOP32 (stateset_size), 124+ stateset_size, sizeof (grub_uint32_t), 125 GRUB_RELOCATOR_PREFERENCE_NONE, 0); 126 if (err) 127 return err; 128diff --git a/grub-core/lib/x86_64/efi/relocator.c b/grub-core/lib/x86_64/efi/relocator.c 129index 3caef7a40..7d200a125 100644 130--- a/grub-core/lib/x86_64/efi/relocator.c 131+++ b/grub-core/lib/x86_64/efi/relocator.c 132@@ -50,10 +50,9 @@ grub_relocator64_efi_boot (struct grub_relocator *rel, 133 * 64-bit relocator code may live above 4 GiB quite well. 134 * However, I do not want ask for problems. Just in case. 135 */ 136- err = grub_relocator_alloc_chunk_align (rel, &ch, 0, 137- 0x100000000 - RELOCATOR_SIZEOF (64_efi), 138- RELOCATOR_SIZEOF (64_efi), 16, 139- GRUB_RELOCATOR_PREFERENCE_NONE, 1); 140+ err = grub_relocator_alloc_chunk_align_safe (rel, &ch, 0, 0x100000000, 141+ RELOCATOR_SIZEOF (64_efi), 16, 142+ GRUB_RELOCATOR_PREFERENCE_NONE, 1); 143 if (err) 144 return err; 145 146diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c 147index 02a73463a..efbb99307 100644 148--- a/grub-core/loader/i386/linux.c 149+++ b/grub-core/loader/i386/linux.c 150@@ -181,9 +181,8 @@ allocate_pages (grub_size_t prot_size, grub_size_t *align, 151 for (; err && *align + 1 > min_align; (*align)--) 152 { 153 grub_errno = GRUB_ERR_NONE; 154- err = grub_relocator_alloc_chunk_align (relocator, &ch, 155- 0x1000000, 156- 0xffffffff & ~prot_size, 157+ err = grub_relocator_alloc_chunk_align (relocator, &ch, 0x1000000, 158+ UP_TO_TOP32 (prot_size), 159 prot_size, 1 << *align, 160 GRUB_RELOCATOR_PREFERENCE_LOW, 161 1); 162diff --git a/grub-core/loader/i386/multiboot_mbi.c b/grub-core/loader/i386/multiboot_mbi.c 163index ad3cc292f..a67d9d0a8 100644 164--- a/grub-core/loader/i386/multiboot_mbi.c 165+++ b/grub-core/loader/i386/multiboot_mbi.c 166@@ -466,10 +466,9 @@ grub_multiboot_make_mbi (grub_uint32_t *target) 167 168 bufsize = grub_multiboot_get_mbi_size (); 169 170- err = grub_relocator_alloc_chunk_align (grub_multiboot_relocator, &ch, 171- 0x10000, 0xa0000 - bufsize, 172- bufsize, 4, 173- GRUB_RELOCATOR_PREFERENCE_NONE, 0); 174+ err = grub_relocator_alloc_chunk_align_safe (grub_multiboot_relocator, &ch, 175+ 0x10000, 0xa0000, bufsize, 4, 176+ GRUB_RELOCATOR_PREFERENCE_NONE, 0); 177 if (err) 178 return err; 179 ptrorig = get_virtual_current_address (ch); 180diff --git a/grub-core/loader/i386/pc/linux.c b/grub-core/loader/i386/pc/linux.c 181index 31f09922b..5fed5ffdf 100644 182--- a/grub-core/loader/i386/pc/linux.c 183+++ b/grub-core/loader/i386/pc/linux.c 184@@ -453,10 +453,8 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)), 185 186 { 187 grub_relocator_chunk_t ch; 188- err = grub_relocator_alloc_chunk_align (relocator, &ch, 189- addr_min, addr_max - size, 190- size, 0x1000, 191- GRUB_RELOCATOR_PREFERENCE_HIGH, 0); 192+ err = grub_relocator_alloc_chunk_align_safe (relocator, &ch, addr_min, addr_max, size, 193+ 0x1000, GRUB_RELOCATOR_PREFERENCE_HIGH, 0); 194 if (err) 195 return err; 196 initrd_chunk = get_virtual_current_address (ch); 197diff --git a/grub-core/loader/mips/linux.c b/grub-core/loader/mips/linux.c 198index 7b723bf18..e4ed95921 100644 199--- a/grub-core/loader/mips/linux.c 200+++ b/grub-core/loader/mips/linux.c 201@@ -442,12 +442,9 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)), 202 { 203 grub_relocator_chunk_t ch; 204 205- err = grub_relocator_alloc_chunk_align (relocator, &ch, 206- (target_addr & 0x1fffffff) 207- + linux_size + 0x10000, 208- (0x10000000 - size), 209- size, 0x10000, 210- GRUB_RELOCATOR_PREFERENCE_NONE, 0); 211+ err = grub_relocator_alloc_chunk_align_safe (relocator, &ch, (target_addr & 0x1fffffff) + 212+ linux_size + 0x10000, 0x10000000, size, 213+ 0x10000, GRUB_RELOCATOR_PREFERENCE_NONE, 0); 214 215 if (err) 216 goto fail; 217diff --git a/grub-core/loader/multiboot.c b/grub-core/loader/multiboot.c 218index 4a98d7082..facb13f3d 100644 219--- a/grub-core/loader/multiboot.c 220+++ b/grub-core/loader/multiboot.c 221@@ -403,7 +403,7 @@ grub_cmd_module (grub_command_t cmd __attribute__ ((unused)), 222 { 223 grub_relocator_chunk_t ch; 224 err = grub_relocator_alloc_chunk_align (GRUB_MULTIBOOT (relocator), &ch, 225- lowest_addr, (0xffffffff - size) + 1, 226+ lowest_addr, UP_TO_TOP32 (size), 227 size, MULTIBOOT_MOD_ALIGN, 228 GRUB_RELOCATOR_PREFERENCE_NONE, 1); 229 if (err) 230diff --git a/grub-core/loader/multiboot_elfxx.c b/grub-core/loader/multiboot_elfxx.c 231index cc6853692..f2318e0d1 100644 232--- a/grub-core/loader/multiboot_elfxx.c 233+++ b/grub-core/loader/multiboot_elfxx.c 234@@ -109,10 +109,10 @@ CONCAT(grub_multiboot_load_elf, XX) (mbi_load_data_t *mld) 235 if (load_size > mld->max_addr || mld->min_addr > mld->max_addr - load_size) 236 return grub_error (GRUB_ERR_BAD_OS, "invalid min/max address and/or load size"); 237 238- err = grub_relocator_alloc_chunk_align (GRUB_MULTIBOOT (relocator), &ch, 239- mld->min_addr, mld->max_addr - load_size, 240- load_size, mld->align ? mld->align : 1, 241- mld->preference, mld->avoid_efi_boot_services); 242+ err = grub_relocator_alloc_chunk_align_safe (GRUB_MULTIBOOT (relocator), &ch, 243+ mld->min_addr, mld->max_addr, 244+ load_size, mld->align ? mld->align : 1, 245+ mld->preference, mld->avoid_efi_boot_services); 246 247 if (err) 248 { 249@@ -256,7 +256,7 @@ CONCAT(grub_multiboot_load_elf, XX) (mbi_load_data_t *mld) 250 continue; 251 252 err = grub_relocator_alloc_chunk_align (GRUB_MULTIBOOT (relocator), &ch, 0, 253- (0xffffffff - sh->sh_size) + 1, 254+ UP_TO_TOP32 (sh->sh_size), 255 sh->sh_size, sh->sh_addralign, 256 GRUB_RELOCATOR_PREFERENCE_NONE, 257 mld->avoid_efi_boot_services); 258diff --git a/grub-core/loader/multiboot_mbi2.c b/grub-core/loader/multiboot_mbi2.c 259index 0efc66062..03967839c 100644 260--- a/grub-core/loader/multiboot_mbi2.c 261+++ b/grub-core/loader/multiboot_mbi2.c 262@@ -295,10 +295,10 @@ grub_multiboot2_load (grub_file_t file, const char *filename) 263 return grub_error (GRUB_ERR_BAD_OS, "invalid min/max address and/or load size"); 264 } 265 266- err = grub_relocator_alloc_chunk_align (grub_multiboot2_relocator, &ch, 267- mld.min_addr, mld.max_addr - code_size, 268- code_size, mld.align ? mld.align : 1, 269- mld.preference, keep_bs); 270+ err = grub_relocator_alloc_chunk_align_safe (grub_multiboot2_relocator, &ch, 271+ mld.min_addr, mld.max_addr, 272+ code_size, mld.align ? mld.align : 1, 273+ mld.preference, keep_bs); 274 } 275 else 276 err = grub_relocator_alloc_chunk_addr (grub_multiboot2_relocator, 277@@ -708,7 +708,7 @@ grub_multiboot2_make_mbi (grub_uint32_t *target) 278 COMPILE_TIME_ASSERT (MULTIBOOT_TAG_ALIGN % sizeof (grub_properly_aligned_t) == 0); 279 280 err = grub_relocator_alloc_chunk_align (grub_multiboot2_relocator, &ch, 281- 0, 0xffffffff - bufsize, 282+ 0, UP_TO_TOP32 (bufsize), 283 bufsize, MULTIBOOT_TAG_ALIGN, 284 GRUB_RELOCATOR_PREFERENCE_NONE, 1); 285 if (err) 286diff --git a/grub-core/loader/xnu_resume.c b/grub-core/loader/xnu_resume.c 287index 8089804d4..d648ef0cd 100644 288--- a/grub-core/loader/xnu_resume.c 289+++ b/grub-core/loader/xnu_resume.c 290@@ -129,7 +129,7 @@ grub_xnu_resume (char *imagename) 291 { 292 grub_relocator_chunk_t ch; 293 err = grub_relocator_alloc_chunk_align (grub_xnu_relocator, &ch, 0, 294- (0xffffffff - hibhead.image_size) + 1, 295+ UP_TO_TOP32 (hibhead.image_size), 296 hibhead.image_size, 297 GRUB_XNU_PAGESIZE, 298 GRUB_RELOCATOR_PREFERENCE_NONE, 0); 299diff --git a/include/grub/relocator.h b/include/grub/relocator.h 300index 24d8672d2..1b3bdd92a 100644 301--- a/include/grub/relocator.h 302+++ b/include/grub/relocator.h 303@@ -49,6 +49,35 @@ grub_relocator_alloc_chunk_align (struct grub_relocator *rel, 304 int preference, 305 int avoid_efi_boot_services); 306 307+/* 308+ * Wrapper for grub_relocator_alloc_chunk_align() with purpose of 309+ * protecting against integer underflow. 310+ * 311+ * Compare to its callee, max_addr has different meaning here. 312+ * It covers entire chunk and not just start address of the chunk. 313+ */ 314+static inline grub_err_t 315+grub_relocator_alloc_chunk_align_safe (struct grub_relocator *rel, 316+ grub_relocator_chunk_t *out, 317+ grub_phys_addr_t min_addr, 318+ grub_phys_addr_t max_addr, 319+ grub_size_t size, grub_size_t align, 320+ int preference, 321+ int avoid_efi_boot_services) 322+{ 323+ /* Sanity check and ensure following equation (max_addr - size) is safe. */ 324+ if (max_addr < size || (max_addr - size) < min_addr) 325+ return GRUB_ERR_OUT_OF_RANGE; 326+ 327+ return grub_relocator_alloc_chunk_align (rel, out, min_addr, 328+ max_addr - size, 329+ size, align, preference, 330+ avoid_efi_boot_services); 331+} 332+ 333+/* Top 32-bit address minus s bytes and plus 1 byte. */ 334+#define UP_TO_TOP32(s) ((~(s) & 0xffffffff) + 1) 335+ 336 #define GRUB_RELOCATOR_PREFERENCE_NONE 0 337 #define GRUB_RELOCATOR_PREFERENCE_LOW 1 338 #define GRUB_RELOCATOR_PREFERENCE_HIGH 2 339-- 3402.26.2 341 342