1From 2a330dba93ff11bc00eda76e9419bc52b0c7ead6 Mon Sep 17 00:00:00 2001 2From: Daniel Axtens <dja@axtens.net> 3Date: Fri, 22 Jan 2021 16:07:29 +1100 4Subject: [PATCH] lib/arg: Block repeated short options that require an 5 argument 6 7Fuzzing found the following crash: 8 9 search -hhhhhhhhhhhhhf 10 11We didn't allocate enough option space for 13 hints because the 12allocation code counts the number of discrete arguments (i.e. argc). 13However, the shortopt parsing code will happily keep processing 14a combination of short options without checking if those short 15options require an argument. This means you can easily end writing 16past the allocated option space. 17 18This fixes a OOB write which can cause heap corruption. 19 20Fixes: CVE-2021-20225 21 22Reported-by: Daniel Axtens <dja@axtens.net> 23Signed-off-by: Daniel Axtens <dja@axtens.net> 24Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> 25Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com> 26--- 27 grub-core/lib/arg.c | 13 +++++++++++++ 28 1 file changed, 13 insertions(+) 29 30diff --git a/grub-core/lib/arg.c b/grub-core/lib/arg.c 31index 3288609..537c5e9 100644 32--- a/grub-core/lib/arg.c 33+++ b/grub-core/lib/arg.c 34@@ -299,6 +299,19 @@ grub_arg_parse (grub_extcmd_t cmd, int argc, char **argv, 35 it can have an argument value. */ 36 if (*curshort) 37 { 38+ /* 39+ * Only permit further short opts if this one doesn't 40+ * require a value. 41+ */ 42+ if (opt->type != ARG_TYPE_NONE && 43+ !(opt->flags & GRUB_ARG_OPTION_OPTIONAL)) 44+ { 45+ grub_error (GRUB_ERR_BAD_ARGUMENT, 46+ N_("missing mandatory option for `%s'"), 47+ opt->longarg); 48+ goto fail; 49+ } 50+ 51 if (parse_option (cmd, opt, 0, usr) || grub_errno) 52 goto fail; 53 } 54-- 552.14.2 56 57