grub-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] envblk: Fix buffer overrun when attempting to shrink a varia


From: Daniel Kiper
Subject: Re: [PATCH] envblk: Fix buffer overrun when attempting to shrink a variable value
Date: Wed, 13 May 2020 14:38:13 +0200
User-agent: NeoMutt/20170113 (1.7.2)

On Tue, May 12, 2020 at 02:32:25PM +0200, Javier Martinez Canillas wrote:
> If an existing variable is set with a value whose length is smaller than
> the current value, a memory corruption can happen due copying padding '#'
> characters outside of the environment block buffer.
>
> This is caused by a wrong calculation of the previous free space position
> after moving backward the characters that followed the old variable value.
>
> That position is calculated to fill the remaining of the buffer with the
> padding '#' characters. But since isn't calculated correctly, it can lead
> to copies outside of the buffer.
>
> The issue can be reproduced by creating a variable with a large value and
> then try to set a new value that is much smaller:
>
> $ grub2-editenv --version
> grub2-editenv (GRUB) 2.04
>
> $ grub2-editenv env create
>
> $ grub2-editenv env set a="$(for i in {1..500}; do var="b$var"; done; echo 
> $var)"
>
> $ wc -c env
> 1024 grubenv
>
> $ grub2-editenv env set a="$(for i in {1..50}; do var="b$var"; done; echo 
> $var)"
> malloc(): corrupted top size
> Aborted (core dumped)
>
> $ wc -c env
> 0 grubenv
>
> Reported-by: Renaud M├ętrich <address@hidden>
> Signed-off-by: Javier Martinez Canillas <address@hidden>

Reviewed-by: Daniel Kiper <address@hidden>

Daniel



reply via email to

[Prev in Thread] Current Thread [Next in Thread]