[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SECURITY PATCH 084/117] io/gzio: Catch missing values in huft_build() a
From: |
Daniel Kiper |
Subject: |
[SECURITY PATCH 084/117] io/gzio: Catch missing values in huft_build() and bail |
Date: |
Tue, 2 Mar 2021 19:01:31 +0100 |
From: Daniel Axtens <dja@axtens.net>
In huft_build(), "v" is a table of values in order of bit length.
The code later (when setting up table entries in "r") assumes that all
elements of this array corresponding to a code are initialized and less
than N_MAX. However, it doesn't enforce this.
With sufficiently manipulated inputs (e.g. from fuzzing), there can be
elements of "v" that are not filled. Therefore a lookup into "e" or "d"
will use an uninitialized value. This can lead to an invalid/OOB read on
those values, often leading to a crash.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/io/gzio.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/grub-core/io/gzio.c b/grub-core/io/gzio.c
index 4236f0fd4..19adebeed 100644
--- a/grub-core/io/gzio.c
+++ b/grub-core/io/gzio.c
@@ -507,6 +507,7 @@ huft_build (unsigned *b, /* code lengths in bits (all
assumed <= BMAX) */
}
/* Make a table of values in order of bit lengths */
+ grub_memset (v, N_MAX, ARRAY_SIZE (v));
p = b;
i = 0;
do
@@ -588,11 +589,18 @@ huft_build (unsigned *b, /* code lengths in bits (all
assumed <= BMAX) */
r.v.n = (ush) (*p); /* simple code is just the value */
p++; /* one compiler does not like *p++ */
}
- else
+ else if (*p < N_MAX)
{
r.e = (uch) e[*p - s]; /* non-simple--look up in lists */
r.v.n = d[*p++ - s];
}
+ else
+ {
+ /* Detected an uninitialised value, abort. */
+ if (h)
+ huft_free (u[0]);
+ return 2;
+ }
/* fill code-like entries with r */
f = 1 << (k - w);
--
2.11.0
- [SECURITY PATCH 069/117] video/readers/jpeg: Don't decode data before start of stream, (continued)
- [SECURITY PATCH 069/117] video/readers/jpeg: Don't decode data before start of stream, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 068/117] video/readers/jpeg: Catch OOB reads/writes in grub_jpeg_decode_du(), Daniel Kiper, 2021/03/02
- [SECURITY PATCH 072/117] fs/hfsplus: Don't fetch a key beyond the end of the node, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 071/117] fs/fshelp: Catch impermissibly large block sizes in read helper, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 082/117] io/gzio: Bail if gzio->tl/td is NULL, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 078/117] fs/jfs: Catch infinite recursion, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 073/117] fs/hfsplus: Don't use uninitialized data on corrupt filesystems, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 083/117] io/gzio: Add init_dynamic_block() clean up if unpacking codes fails, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 079/117] fs/nilfs2: Reject too-large keys, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 077/117] fs/jfs: Limit the extents that getblk() can consider, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 084/117] io/gzio: Catch missing values in huft_build() and bail,
Daniel Kiper <=
- [SECURITY PATCH 086/117] disk/lvm: Don't go beyond the end of the data we read from disk, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 087/117] disk/lvm: Don't blast past the end of the circular metadata buffer, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 089/117] disk/lvm: Do not crash if an expected string is not found, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 085/117] io/gzio: Zero gzio->tl/td in init_dynamic_block() if huft_build() fails, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 091/117] disk/lvm: Sanitize rlocn->offset to prevent wild read, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 096/117] kern/parser: Introduce process_char() helper, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 097/117] kern/parser: Introduce terminate_arg() helper, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 080/117] fs/nilfs2: Don't search children if provided number is too large, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 088/117] disk/lvm: Bail on missing PV list, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 099/117] kern/buffer: Add variable sized heap buffer, Daniel Kiper, 2021/03/02