[SECURITY PATCH 20/28] relocator: Fix grub_relocator_alloc_chunk

grub-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[SECURITY PATCH 20/28] relocator: Fix grub_relocator_alloc_chunk_align()

From:	Daniel Kiper
Subject:	[SECURITY PATCH 20/28] relocator: Fix grub_relocator_alloc_chunk_align() top memory allocation
Date:	Wed, 29 Jul 2020 19:00:33 +0200

From: Alexey Makhalov <amakhalov@vmware.com>

Current implementation of grub_relocator_alloc_chunk_align()
does not allow allocation of the top byte.

Assuming input args are:
  max_addr = 0xfffff000;
  size = 0x1000;

And this is valid. But following overflow protection will
unnecessarily move max_addr one byte down (to 0xffffefff):
  if (max_addr > ~size)
    max_addr = ~size;

~size + 1 will fix the situation. In addition, check size
for non zero to do not zero max_addr.

Signed-off-by: Alexey Makhalov <amakhalov@vmware.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 grub-core/lib/relocator.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/grub-core/lib/relocator.c b/grub-core/lib/relocator.c
index 5847aac36..f2c1944c2 100644
--- a/grub-core/lib/relocator.c
+++ b/grub-core/lib/relocator.c
@@ -1386,8 +1386,8 @@ grub_relocator_alloc_chunk_align (struct grub_relocator 
*rel,
   };
   grub_addr_t min_addr2 = 0, max_addr2;
 
-  if (max_addr > ~size)
-    max_addr = ~size;
+  if (size && (max_addr > ~size))
+    max_addr = ~size + 1;
 
 #ifdef GRUB_MACHINE_PCBIOS
   if (min_addr < 0x1000)
-- 
2.11.0

[Prev in Thread]

Current Thread

[Next in Thread]

[SECURITY PATCH 22/28] lvm: Fix two more potential data-dependent alloc overflows, (continued)
- [SECURITY PATCH 22/28] lvm: Fix two more potential data-dependent alloc overflows, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 23/28] emu: Make grub_free(NULL) safe, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 24/28] efi: Fix some malformed device path arithmetic errors, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 25/28] efi/chainloader: Propagate errors from copy_file_path(), Daniel Kiper, 2020/07/29
- [SECURITY PATCH 26/28] efi: Fix use-after-free in halt/reboot path, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 27/28] loader/linux: Avoid overflow on initrd size calculation, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 28/28] linux: Fix integer overflows in initrd size handling, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 09/28] xnu: Fix double free in grub_xnu_devprop_add_property(), Daniel Kiper, 2020/07/29
- [SECURITY PATCH 16/28] relocator: Protect grub_relocator_alloc_chunk_addr() input args against integer underflow/overflow, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 17/28] relocator: Protect grub_relocator_alloc_chunk_align() max_addr against integer underflow, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 20/28] relocator: Fix grub_relocator_alloc_chunk_align() top memory allocation, Daniel Kiper <=
- [SECURITY PATCH 21/28] hfsplus: Fix two more overflows, Daniel Kiper, 2020/07/29
- Re: [SECURITY PATCH 00/28] Multiple GRUB2 vulnerabilities - BootHole, Christian Hesse, 2020/07/29
  - Re: [SECURITY PATCH 00/28] Multiple GRUB2 vulnerabilities - BootHole, John Paul Adrian Glaubitz, 2020/07/29
    - Re: [SECURITY PATCH 00/28] Multiple GRUB2 vulnerabilities - BootHole, Dimitri John Ledkov, 2020/07/29
    - Re: [SECURITY PATCH 00/28] Multiple GRUB2 vulnerabilities - BootHole, John Paul Adrian Glaubitz, 2020/07/29

Prev by Date: [SECURITY PATCH 17/28] relocator: Protect grub_relocator_alloc_chunk_align() max_addr against integer underflow
Next by Date: [SECURITY PATCH 21/28] hfsplus: Fix two more overflows
Previous by thread: [SECURITY PATCH 17/28] relocator: Protect grub_relocator_alloc_chunk_align() max_addr against integer underflow
Next by thread: [SECURITY PATCH 21/28] hfsplus: Fix two more overflows
Index(es):
- Date
- Thread