Commit 512acd7c authored by Rocky Automation's avatar Rocky Automation 📺
Browse files

import grub2-2.02-82.el8_2.1

parent d35121ea
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Javier Martinez Canillas <javierm@redhat.com>
Date: Tue, 12 May 2020 01:00:51 +0200
Subject: [PATCH] envblk: Fix buffer overrun when attempting to shrink a
variable value
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If an existing variable is set with a value whose length is smaller than
the current value, a memory corruption can happen due copying padding '#'
characters outside of the environment block buffer.
This is caused by a wrong calculation of the previous free space position
after moving backward the characters that followed the old variable value.
That position is calculated to fill the remaining of the buffer with the
padding '#' characters. But since isn't calculated correctly, it can lead
to copies outside of the buffer.
The issue can be reproduced by creating a variable with a large value and
then try to set a new value that is much smaller:
$ grub2-editenv --version
grub2-editenv (GRUB) 2.04
$ grub2-editenv env create
$ grub2-editenv env set a="$(for i in {1..500}; do var="b$var"; done; echo $var)"
$ wc -c env
1024 grubenv
$ grub2-editenv env set a="$(for i in {1..50}; do var="b$var"; done; echo $var)"
malloc(): corrupted top size
Aborted (core dumped)
$ wc -c env
0 grubenv
Resolves: rhbz#1836196
Reported-by: Renaud Métrich <rmetrich@redhat.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Patch-cc: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/lib/envblk.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/grub-core/lib/envblk.c b/grub-core/lib/envblk.c
index 230e0e9d9ab..2e4e78b132d 100644
--- a/grub-core/lib/envblk.c
+++ b/grub-core/lib/envblk.c
@@ -143,7 +143,7 @@ grub_envblk_set (grub_envblk_t envblk, const char *name, const char *value)
/* Move the following characters backward, and fill the new
space with harmless characters. */
grub_memmove (p + vl, p + len, pend - (p + len));
- grub_memset (space + len - vl, '#', len - vl);
+ grub_memset (space - (len - vl), '#', len - vl);
}
else
/* Move the following characters forward. */
......@@ -269,3 +269,4 @@ Patch0268: 0268-Fix-PRIxGRUB_EFI_STATUS-definition.patch
Patch0269: 0269-TPM-Print-messages-if-measuraments-fail-as-debug-ins.patch
Patch0270: 0270-unix-platform-Initialize-variable-to-fix-grub-instal.patch
Patch0271: 0271-blscfg-add-a-space-char-when-appending-fields-for-va.patch
Patch0272: 0272-envblk-Fix-buffer-overrun-when-attempting-to-shrink-.patch
......@@ -7,7 +7,7 @@
Name: grub2
Epoch: 1
Version: 2.02
Release: 81%{?dist}
Release: 82%{?dist}.1
Summary: Bootloader with support for Linux, Multiboot and more
Group: System Environment/Base
License: GPLv3+
......@@ -498,6 +498,10 @@ fi
%endif
%changelog
* Mon May 18 2020 Javier Martinez Canillas <javierm@redhat.com> - 2.02-82.el8_2.1
- Fix a segfault in grub2-editenv when attempting to shrink a variable
Resolves: rhbz#1836196
* Thu Dec 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 2.02-81
- Another fix for blscfg variable expansion support
Related: rhbz#1669252
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment