You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
44 lines
1.5 KiB
44 lines
1.5 KiB
2 years ago
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||
|
From: Daniel Axtens <dja@axtens.net>
|
||
|
Date: Fri, 22 Jan 2021 17:10:48 +1100
|
||
|
Subject: [PATCH] commands/menuentry: Fix quoting in setparams_prefix()
|
||
|
|
||
|
Commit 9acdcbf32542 (use single quotes in menuentry setparams command)
|
||
|
says that expressing a quoted single quote will require 3 characters. It
|
||
|
actually requires (and always did require!) 4 characters:
|
||
|
|
||
|
str: a'b => a'\''b
|
||
|
len: 3 => 6 (2 for the letters + 4 for the quote)
|
||
|
|
||
|
This leads to not allocating enough memory and thus out of bounds writes
|
||
|
that have been observed to cause heap corruption.
|
||
|
|
||
|
Allocate 4 bytes for each single quote.
|
||
|
|
||
|
Commit 22e7dbb2bb81 (Fix quoting in legacy parser.) does the same
|
||
|
quoting, but it adds 3 as extra overhead on top of the single byte that
|
||
|
the quote already needs. So it's correct.
|
||
|
|
||
|
Fixes: CVE-2021-20233
|
||
|
Fixes: 9acdcbf32542 (use single quotes in menuentry setparams command)
|
||
|
|
||
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||
|
---
|
||
|
grub-core/commands/menuentry.c | 2 +-
|
||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/grub-core/commands/menuentry.c b/grub-core/commands/menuentry.c
|
||
|
index 4b5fcf2ce..7a533b974 100644
|
||
|
--- a/grub-core/commands/menuentry.c
|
||
|
+++ b/grub-core/commands/menuentry.c
|
||
|
@@ -239,7 +239,7 @@ setparams_prefix (int argc, char **args)
|
||
|
len += 3; /* 3 = 1 space + 2 quotes */
|
||
|
p = args[i];
|
||
|
while (*p)
|
||
|
- len += (*p++ == '\'' ? 3 : 1);
|
||
|
+ len += (*p++ == '\'' ? 4 : 1);
|
||
|
}
|
||
|
|
||
|
result = grub_malloc (len + 2);
|