[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SECURITY PATCH 115/117] gfxmenu/gui: Check printf() format in the gui_p
From: |
Daniel Kiper |
Subject: |
[SECURITY PATCH 115/117] gfxmenu/gui: Check printf() format in the gui_progress_bar and gui_label |
Date: |
Tue, 2 Mar 2021 19:02:02 +0100 |
From: Thomas Frauendorfer | Miray Software <tf@miray.de>
The gui_progress_bar and gui_label components can display the timeout
value. The format string can be set through a theme file. This patch
adds a validation step to the format string.
If a user loads a theme file into the GRUB without this patch then
a GUI label with the following settings
+ label {
...
id = "__timeout__"
text = "%s"
}
will interpret the current timeout value as string pointer and print the
memory at that position on the screen. It is not desired behavior.
Signed-off-by: Thomas Frauendorfer | Miray Software <tf@miray.de>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/gfxmenu/gui_label.c | 4 ++++
grub-core/gfxmenu/gui_progress_bar.c | 3 +++
2 files changed, 7 insertions(+)
diff --git a/grub-core/gfxmenu/gui_label.c b/grub-core/gfxmenu/gui_label.c
index a4c817891..1c190542a 100644
--- a/grub-core/gfxmenu/gui_label.c
+++ b/grub-core/gfxmenu/gui_label.c
@@ -193,6 +193,10 @@ label_set_property (void *vself, const char *name, const
char *value)
else if (grub_strcmp (value, "@KEYMAP_SHORT@") == 0)
value = _("enter: boot, `e': options, `c': cmd-line");
/* FIXME: Add more templates here if needed. */
+
+ if (grub_printf_fmt_check(value, "%d") != GRUB_ERR_NONE)
+ value = ""; /* Unsupported format. */
+
self->template = grub_strdup (value);
self->text = grub_xasprintf (value, self->value);
}
diff --git a/grub-core/gfxmenu/gui_progress_bar.c
b/grub-core/gfxmenu/gui_progress_bar.c
index b128f0866..ace85a125 100644
--- a/grub-core/gfxmenu/gui_progress_bar.c
+++ b/grub-core/gfxmenu/gui_progress_bar.c
@@ -348,6 +348,9 @@ progress_bar_set_property (void *vself, const char *name,
const char *value)
Please use the shortest form available in you language. */
value = _("%ds");
+ if (grub_printf_fmt_check(value, "%d") != GRUB_ERR_NONE)
+ value = ""; /* Unsupported format. */
+
self->template = grub_strdup (value);
}
else if (grub_strcmp (name, "font") == 0)
--
2.11.0
- [SECURITY PATCH 108/117] util/mkimage: Refactor section setup to use a helper, (continued)
- [SECURITY PATCH 107/117] util/mkimage: Improve data_size value calculation, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 100/117] kern/parser: Fix a stack buffer overflow, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 103/117] util/mkimage: Use grub_host_to_target32() instead of grub_cpu_to_le32(), Daniel Kiper, 2021/03/02
- [SECURITY PATCH 105/117] util/mkimage: Unify more of the PE32 and PE32+ header set-up, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 101/117] kern/efi: Add initial stack protector implementation, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 109/117] util/mkimage: Add an option to import SBAT metadata into a .sbat section, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 115/117] gfxmenu/gui: Check printf() format in the gui_progress_bar and gui_label,
Daniel Kiper <=
- [SECURITY PATCH 104/117] util/mkimage: Always use grub_host_to_target32() to initialize PE stack and heap stuff, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 112/117] kern/misc: Split parse_printf_args() into format parsing and va_list handling, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 106/117] util/mkimage: Reorder PE optional header fields set-up, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 114/117] kern/misc: Add function to check printf() format against expected format, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 116/117] templates: Disable the os-prober by default, Daniel Kiper, 2021/03/02