1From 2f533a89a8dfcacbf2c9dbc77d910f111f24bf33 Mon Sep 17 00:00:00 2001 2From: Daniel Axtens <dja@axtens.net> 3Date: Fri, 22 Jan 2021 17:10:48 +1100 4Subject: [PATCH] commands/menuentry: Fix quoting in setparams_prefix() 5 6Commit 9acdcbf32542 (use single quotes in menuentry setparams command) 7says that expressing a quoted single quote will require 3 characters. It 8actually requires (and always did require!) 4 characters: 9 10 str: a'b => a'\''b 11 len: 3 => 6 (2 for the letters + 4 for the quote) 12 13This leads to not allocating enough memory and thus out of bounds writes 14that have been observed to cause heap corruption. 15 16Allocate 4 bytes for each single quote. 17 18Commit 22e7dbb2bb81 (Fix quoting in legacy parser.) does the same 19quoting, but it adds 3 as extra overhead on top of the single byte that 20the quote already needs. So it's correct. 21 22Fixes: 9acdcbf32542 (use single quotes in menuentry setparams command) 23Fixes: CVE-2021-20233 24 25Reported-by: Daniel Axtens <dja@axtens.net> 26Signed-off-by: Daniel Axtens <dja@axtens.net> 27Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> 28Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com> 29--- 30 grub-core/commands/menuentry.c | 2 +- 31 1 file changed, 1 insertion(+), 1 deletion(-) 32 33diff --git a/grub-core/commands/menuentry.c b/grub-core/commands/menuentry.c 34index 9164df7..720e6d8 100644 35--- a/grub-core/commands/menuentry.c 36+++ b/grub-core/commands/menuentry.c 37@@ -230,7 +230,7 @@ setparams_prefix (int argc, char **args) 38 len += 3; /* 3 = 1 space + 2 quotes */ 39 p = args[i]; 40 while (*p) 41- len += (*p++ == '\'' ? 3 : 1); 42+ len += (*p++ == '\'' ? 4 : 1); 43 } 44 45 result = grub_malloc (len + 2); 46-- 472.14.2 48 49