tablet/grub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

gettext: Integer overflow leads to heap OOB write

Browse Source 
The size calculation of the translation buffer in
grub_gettext_getstr_from_position() may overflow
to 0 leading to heap OOB write. This patch fixes
the issue by using grub_add() and checking for
an overflow.

Fixes: CVE-2024-45777

Reported-by: Nils Langius <nils@langius.de>
Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Alec Brown <alec.r.brown@oracle.com>
This commit is contained in:
Lidong Chen 2024-11-22 06:27:57 +00:00 committed by Daniel Kiper
parent 09bd6eb58b
commit b970a5ed96
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
grub-core/gettext/gettext.c
View File

@ -26,6 +26,7 @@
#include <grub/file.h> #include <grub/file.h>
#include <grub/kernel.h> #include <grub/kernel.h>
#include <grub/i18n.h> #include <grub/i18n.h>
#include <grub/safemath.h>
GRUB_MOD_LICENSE ("GPLv3+"); GRUB_MOD_LICENSE ("GPLv3+");
@ -99,6 +100,7 @@ grub_gettext_getstr_from_position (struct grub_gettext_context *ctx,
char *translation; char *translation;
struct string_descriptor desc; struct string_descriptor desc;
grub_err_t err; grub_err_t err;
grub_size_t alloc_sz;
internal_position = (off + position * sizeof (desc)); internal_position = (off + position * sizeof (desc));
@ -109,7 +111,10 @@ grub_gettext_getstr_from_position (struct grub_gettext_context *ctx,
length = grub_cpu_to_le32 (desc.length); length = grub_cpu_to_le32 (desc.length);
offset = grub_cpu_to_le32 (desc.offset); offset = grub_cpu_to_le32 (desc.offset);
translation = grub_malloc (length + 1); if (grub_add (length, 1, &alloc_sz))
return NULL;
translation = grub_malloc (alloc_sz);
if (!translation) if (!translation)
return NULL; return NULL;