From 512acd7cad1656221d7a1065710b03925375b00e Mon Sep 17 00:00:00 2001
From: rockyautomation <rockyautomation@rockylinux.org>
Date: Mon, 22 Feb 2021 04:27:57 +0100
Subject: [PATCH] import grub2-2.02-82.el8_2.1
---
...r-overrun-when-attempting-to-shrink-.patch | 62 +++++++++++++++++++
SOURCES/grub.patches | 1 +
SPECS/grub2.spec | 6 +-
3 files changed, 68 insertions(+), 1 deletion(-)
create mode 100644 SOURCES/0272-envblk-Fix-buffer-overrun-when-attempting-to-shrink-.patch
diff --git a/SOURCES/0272-envblk-Fix-buffer-overrun-when-attempting-to-shrink-.patch b/SOURCES/0272-envblk-Fix-buffer-overrun-when-attempting-to-shrink-.patch
new file mode 100644
index 0000000..293500b
--- /dev/null
+++ b/SOURCES/0272-envblk-Fix-buffer-overrun-when-attempting-to-shrink-.patch
@@ -0,0 +1,62 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Tue, 12 May 2020 01:00:51 +0200
+Subject: [PATCH] envblk: Fix buffer overrun when attempting to shrink a
+ variable value
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If an existing variable is set with a value whose length is smaller than
+the current value, a memory corruption can happen due copying padding '#'
+characters outside of the environment block buffer.
+
+This is caused by a wrong calculation of the previous free space position
+after moving backward the characters that followed the old variable value.
+
+That position is calculated to fill the remaining of the buffer with the
+padding '#' characters. But since isn't calculated correctly, it can lead
+to copies outside of the buffer.
+
+The issue can be reproduced by creating a variable with a large value and
+then try to set a new value that is much smaller:
+
+$ grub2-editenv --version
+grub2-editenv (GRUB) 2.04
+
+$ grub2-editenv env create
+
+$ grub2-editenv env set a="$(for i in {1..500}; do var="b$var"; done; echo $var)"
+
+$ wc -c env
+1024 grubenv
+
+$ grub2-editenv env set a="$(for i in {1..50}; do var="b$var"; done; echo $var)"
+malloc(): corrupted top size
+Aborted (core dumped)
+
+$ wc -c env
+0 grubenv
+
+Resolves: rhbz#1836196
+
+Reported-by: Renaud Métrich <rmetrich@redhat.com>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Patch-cc: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/lib/envblk.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/lib/envblk.c b/grub-core/lib/envblk.c
+index 230e0e9d9ab..2e4e78b132d 100644
+--- a/grub-core/lib/envblk.c
++++ b/grub-core/lib/envblk.c
+@@ -143,7 +143,7 @@ grub_envblk_set (grub_envblk_t envblk, const char *name, const char *value)
+ /* Move the following characters backward, and fill the new
+ space with harmless characters. */
+ grub_memmove (p + vl, p + len, pend - (p + len));
+- grub_memset (space + len - vl, '#', len - vl);
++ grub_memset (space - (len - vl), '#', len - vl);
+ }
+ else
+ /* Move the following characters forward. */
diff --git a/SOURCES/grub.patches b/SOURCES/grub.patches
index ea7ecf6..67bf4df 100644
--- a/SOURCES/grub.patches
+++ b/SOURCES/grub.patches
@@ -269,3 +269,4 @@ Patch0268: 0268-Fix-PRIxGRUB_EFI_STATUS-definition.patch
Patch0269: 0269-TPM-Print-messages-if-measuraments-fail-as-debug-ins.patch
Patch0270: 0270-unix-platform-Initialize-variable-to-fix-grub-instal.patch
Patch0271: 0271-blscfg-add-a-space-char-when-appending-fields-for-va.patch
+Patch0272: 0272-envblk-Fix-buffer-overrun-when-attempting-to-shrink-.patch
diff --git a/SPECS/grub2.spec b/SPECS/grub2.spec
index 844c1fc..a61d573 100644
--- a/SPECS/grub2.spec
+++ b/SPECS/grub2.spec
@@ -7,7 +7,7 @@
Name: grub2
Epoch: 1
Version: 2.02
-Release: 81%{?dist}
+Release: 82%{?dist}.1
Summary: Bootloader with support for Linux, Multiboot and more
Group: System Environment/Base
License: GPLv3+
@@ -498,6 +498,10 @@ fi
%endif
%changelog
+* Mon May 18 2020 Javier Martinez Canillas <javierm@redhat.com> - 2.02-82.el8_2.1
+- Fix a segfault in grub2-editenv when attempting to shrink a variable
+ Resolves: rhbz#1836196
+
* Thu Dec 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 2.02-81
- Another fix for blscfg variable expansion support
Related: rhbz#1669252
--
GitLab