import grub2-2.02-82.el8_2.1

512acd7c · Rocky Automation · d35121ea · 512acd7c · 512acd7c · 512acd7c
Commit 512acd7c authored 4 years ago by Rocky Automation
--- a/SOURCES/0272-envblk-Fix-buffer-overrun-when-attempting-to-shrink-.patch
+++ b/SOURCES/0272-envblk-Fix-buffer-overrun-when-attempting-to-shrink-.patch
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Tue, 12 May 2020 01:00:51 +0200
+Subject: [PATCH] envblk: Fix buffer overrun when attempting to shrink a
+ variable value
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If an existing variable is set with a value whose length is smaller than
+the current value, a memory corruption can happen due copying padding '#'
+characters outside of the environment block buffer.
+
+This is caused by a wrong calculation of the previous free space position
+after moving backward the characters that followed the old variable value.
+
+That position is calculated to fill the remaining of the buffer with the
+padding '#' characters. But since isn't calculated correctly, it can lead
+to copies outside of the buffer.
+
+The issue can be reproduced by creating a variable with a large value and
+then try to set a new value that is much smaller:
+
+$ grub2-editenv --version
+grub2-editenv (GRUB) 2.04
+
+$ grub2-editenv env create
+
+$ grub2-editenv env set a="$(for i in {1..500}; do var="b$var"; done; echo $var)"
+
+$ wc -c env
+1024 grubenv
+
+$ grub2-editenv env set a="$(for i in {1..50}; do var="b$var"; done; echo $var)"
+malloc(): corrupted top size
+Aborted (core dumped)
+
+$ wc -c env
+0 grubenv
+
+Resolves: rhbz#1836196
+
+Reported-by: Renaud Métrich <rmetrich@redhat.com>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Patch-cc: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/lib/envblk.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/lib/envblk.c b/grub-core/lib/envblk.c
+index 230e0e9d9ab..2e4e78b132d 100644
+--- a/grub-core/lib/envblk.c
+++ b/grub-core/lib/envblk.c
+@@ -143,7 +143,7 @@ grub_envblk_set (grub_envblk_t envblk, const char *name, const char *value)
+               /* Move the following characters backward, and fill the new
+                  space with harmless characters.  */
+               grub_memmove (p + vl, p + len, pend - (p + len));
+-              grub_memset (space + len - vl, '#', len - vl);
+              grub_memset (space - (len - vl), '#', len - vl);
+             }
+           else
+             /* Move the following characters forward.  */
--- a/SOURCES/grub.patches
+++ b/SOURCES/grub.patches
@@ -269,3 +269,4 @@ Patch0268: 0268-Fix-PRIxGRUB_EFI_STATUS-definition.patch
 Patch0269: 0269-TPM-Print-messages-if-measuraments-fail-as-debug-ins.patch
 Patch0270: 0270-unix-platform-Initialize-variable-to-fix-grub-instal.patch
 Patch0271: 0271-blscfg-add-a-space-char-when-appending-fields-for-va.patch
+Patch0272: 0272-envblk-Fix-buffer-overrun-when-attempting-to-shrink-.patch
--- a/SPECS/grub2.spec
+++ b/SPECS/grub2.spec
@@ -7,7 +7,7 @@
 Name:		grub2
 Epoch:		1
 Version:	2.02
-Release:	81%{?dist}
+Release:	82%{?dist}.1
 Summary:	Bootloader with support for Linux, Multiboot and more
 Group:		System Environment/Base
 License:	GPLv3+
@@ -498,6 +498,10 @@ fi
 %endif

 %changelog
+* Mon May 18 2020 Javier Martinez Canillas <javierm@redhat.com> - 2.02-82.el8_2.1
+- Fix a segfault in grub2-editenv when attempting to shrink a variable
+  Resolves: rhbz#1836196
+
 * Thu Dec 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 2.02-81
 - Another fix for blscfg variable expansion support
  Related: rhbz#1669252