[SECURITY PATCH 25/28] efi/chainloader: Propagate errors from copy_file

grub-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[SECURITY PATCH 25/28] efi/chainloader: Propagate errors from copy_file_

From:	Daniel Kiper
Subject:	[SECURITY PATCH 25/28] efi/chainloader: Propagate errors from copy_file_path()
Date:	Wed, 29 Jul 2020 19:00:38 +0200

Without any error propagated to the caller, make_file_path()
would then try to advance the invalid device path node with
GRUB_EFI_NEXT_DEVICE_PATH(), which would fail, returning a NULL
pointer that would subsequently be dereferenced. Hence, propagate
errors from copy_file_path().

Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 grub-core/loader/efi/chainloader.c | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/grub-core/loader/efi/chainloader.c 
b/grub-core/loader/efi/chainloader.c
index a8d7b9155..7b31c3fb9 100644
--- a/grub-core/loader/efi/chainloader.c
+++ b/grub-core/loader/efi/chainloader.c
@@ -106,7 +106,7 @@ grub_chainloader_boot (void)
   return grub_errno;
 }
 
-static void
+static grub_err_t
 copy_file_path (grub_efi_file_path_device_path_t *fp,
                const char *str, grub_efi_uint16_t len)
 {
@@ -118,7 +118,7 @@ copy_file_path (grub_efi_file_path_device_path_t *fp,
 
   path_name = grub_calloc (len, GRUB_MAX_UTF16_PER_UTF8 * sizeof (*path_name));
   if (!path_name)
-    return;
+    return grub_error (GRUB_ERR_OUT_OF_MEMORY, "failed to allocate path 
buffer");
 
   size = grub_utf8_to_utf16 (path_name, len * GRUB_MAX_UTF16_PER_UTF8,
                             (const grub_uint8_t *) str, len, 0);
@@ -131,6 +131,7 @@ copy_file_path (grub_efi_file_path_device_path_t *fp,
   fp->path_name[size++] = '\0';
   fp->header.length = size * sizeof (grub_efi_char16_t) + sizeof (*fp);
   grub_free (path_name);
+  return GRUB_ERR_NONE;
 }
 
 static grub_efi_device_path_t *
@@ -189,13 +190,19 @@ make_file_path (grub_efi_device_path_t *dp, const char 
*filename)
   d = (grub_efi_device_path_t *) ((char *) file_path
                                  + ((char *) d - (char *) dp));
   grub_efi_print_device_path (d);
-  copy_file_path ((grub_efi_file_path_device_path_t *) d,
-                 dir_start, dir_end - dir_start);
+  if (copy_file_path ((grub_efi_file_path_device_path_t *) d,
+                     dir_start, dir_end - dir_start) != GRUB_ERR_NONE)
+    {
+ fail:
+      grub_free (file_path);
+      return 0;
+    }
 
   /* Fill the file path for the file.  */
   d = GRUB_EFI_NEXT_DEVICE_PATH (d);
-  copy_file_path ((grub_efi_file_path_device_path_t *) d,
-                 dir_end + 1, grub_strlen (dir_end + 1));
+  if (copy_file_path ((grub_efi_file_path_device_path_t *) d,
+                     dir_end + 1, grub_strlen (dir_end + 1)) != GRUB_ERR_NONE)
+    goto fail;
 
   /* Fill the end of device path nodes.  */
   d = GRUB_EFI_NEXT_DEVICE_PATH (d);
-- 
2.11.0

[Prev in Thread]

Current Thread

[Next in Thread]

[SECURITY PATCH 11/28] lzma: Make sure we don't dereference past array, (continued)
- [SECURITY PATCH 11/28] lzma: Make sure we don't dereference past array, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 12/28] term: Fix overflow on user inputs, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 13/28] udf: Fix memory leak, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 14/28] multiboot2: Fix memory leak if grub_create_loader_cmdline() fails, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 15/28] tftp: Do not use priority queue, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 18/28] script: Remove unused fields from grub_script_function struct, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 19/28] script: Avoid a use-after-free when redefining a function during execution, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 22/28] lvm: Fix two more potential data-dependent alloc overflows, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 23/28] emu: Make grub_free(NULL) safe, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 24/28] efi: Fix some malformed device path arithmetic errors, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 25/28] efi/chainloader: Propagate errors from copy_file_path(), Daniel Kiper <=
- [SECURITY PATCH 26/28] efi: Fix use-after-free in halt/reboot path, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 27/28] loader/linux: Avoid overflow on initrd size calculation, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 28/28] linux: Fix integer overflows in initrd size handling, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 09/28] xnu: Fix double free in grub_xnu_devprop_add_property(), Daniel Kiper, 2020/07/29
- [SECURITY PATCH 16/28] relocator: Protect grub_relocator_alloc_chunk_addr() input args against integer underflow/overflow, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 17/28] relocator: Protect grub_relocator_alloc_chunk_align() max_addr against integer underflow, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 20/28] relocator: Fix grub_relocator_alloc_chunk_align() top memory allocation, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 21/28] hfsplus: Fix two more overflows, Daniel Kiper, 2020/07/29
- Re: [SECURITY PATCH 00/28] Multiple GRUB2 vulnerabilities - BootHole, Christian Hesse, 2020/07/29
  - Re: [SECURITY PATCH 00/28] Multiple GRUB2 vulnerabilities - BootHole, John Paul Adrian Glaubitz, 2020/07/29

Prev by Date: [SECURITY PATCH 24/28] efi: Fix some malformed device path arithmetic errors
Next by Date: [SECURITY PATCH 26/28] efi: Fix use-after-free in halt/reboot path
Previous by thread: [SECURITY PATCH 24/28] efi: Fix some malformed device path arithmetic errors
Next by thread: [SECURITY PATCH 26/28] efi: Fix use-after-free in halt/reboot path
Index(es):
- Date
- Thread