grub-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[SECURITY PATCH 065/117] commands/menuentry: Fix quoting in setparams_pr


From: Daniel Kiper
Subject: [SECURITY PATCH 065/117] commands/menuentry: Fix quoting in setparams_prefix()
Date: Tue, 2 Mar 2021 19:01:12 +0100

From: Daniel Axtens <dja@axtens.net>

Commit 9acdcbf32542 (use single quotes in menuentry setparams command)
says that expressing a quoted single quote will require 3 characters. It
actually requires (and always did require!) 4 characters:

  str: a'b => a'\''b
  len:  3  => 6 (2 for the letters + 4 for the quote)

This leads to not allocating enough memory and thus out of bounds writes
that have been observed to cause heap corruption.

Allocate 4 bytes for each single quote.

Commit 22e7dbb2bb81 (Fix quoting in legacy parser.) does the same
quoting, but it adds 3 as extra overhead on top of the single byte that
the quote already needs. So it's correct.

Fixes: 9acdcbf32542 (use single quotes in menuentry setparams command)
Fixes: CVE-2021-20233

Reported-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 grub-core/commands/menuentry.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/grub-core/commands/menuentry.c b/grub-core/commands/menuentry.c
index 9164df744..720e6d8ea 100644
--- a/grub-core/commands/menuentry.c
+++ b/grub-core/commands/menuentry.c
@@ -230,7 +230,7 @@ setparams_prefix (int argc, char **args)
       len += 3; /* 3 = 1 space + 2 quotes */
       p = args[i];
       while (*p)
-       len += (*p++ == '\'' ? 3 : 1);
+       len += (*p++ == '\'' ? 4 : 1);
     }
 
   result = grub_malloc (len + 2);
-- 
2.11.0




reply via email to

[Prev in Thread] Current Thread [Next in Thread]