master

分支 (10)

标签 (5)

管理

管理

master

openEuler-20.03-LTS-SP2

openEuler-20.03-LTS-SP1

openEuler-20.03-LTS-Next

openEuler-20.03-LTS

openEuler-21.09

openEuler-21.03

openEuler-20.09

openEuler1.0

openEuler1.0-base

openEuler-20.03-LTS-SP2-20210624

openEuler-21.03-20210330

openEuler-20.09-20200929

openEuler-20.03-LTS-20200606

openEuler-20.03-LTS-tag

grub2
/
0208-envblk-Fix-buffer-overrun-when-a...

From aecc9de8fc2345cb582d0587fc89d01891ae2650 Mon Sep 17 00:00:00 2001
From: Javier Martinez Canillas <javierm@redhat.com>
Date: Tue, 12 May 2020 01:00:51 +0200
Subject: [PATCH 208/220] envblk: Fix buffer overrun when attempting to shrink
 a variable value
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If an existing variable is set with a value whose length is smaller than
the current value, a memory corruption can happen due copying padding '#'
characters outside of the environment block buffer.

This is caused by a wrong calculation of the previous free space position
after moving backward the characters that followed the old variable value.

That position is calculated to fill the remaining of the buffer with the
padding '#' characters. But since isn't calculated correctly, it can lead
to copies outside of the buffer.

The issue can be reproduced by creating a variable with a large value and
then try to set a new value that is much smaller:

$ grub2-editenv --version
grub2-editenv (GRUB) 2.04

$ grub2-editenv env create

$ grub2-editenv env set a="$(for i in {1..500}; do var="b$var"; done; echo $var)"

$ wc -c env
1024 grubenv

$ grub2-editenv env set a="$(for i in {1..50}; do var="b$var"; done; echo $var)"
malloc(): corrupted top size
Aborted (core dumped)

$ wc -c env
0 grubenv

Reported-by: Renaud Métrich <rmetrich@redhat.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Patch-cc: Daniel Kiper <daniel.kiper@oracle.com>
---
 grub-core/lib/envblk.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/grub-core/lib/envblk.c b/grub-core/lib/envblk.c
index f89d86d..874506d 100644
--- a/grub-core/lib/envblk.c
+++ b/grub-core/lib/envblk.c
@@ -143,7 +143,7 @@ grub_envblk_set (grub_envblk_t envblk, const char *name, const char *value)
               /* Move the following characters backward, and fill the new
                  space with harmless characters.  */
               grub_memmove (p + vl, p + len, pend - (p + len));
-              grub_memset (space + len - vl, '#', len - vl);
+              grub_memset (space - (len - vl), '#', len - vl);
             }
           else
             /* Move the following characters forward.  */
--
1.8.3.1