]> git.ipfire.org Git - thirdparty/grub.git/commit
projects / thirdparty / grub.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 2c8ac08) | patch
fs/tar: Integer overflow leads to heap OOB write
authorLidong Chen <lidong.chen@oracle.com>
Fri, 22 Nov 2024 06:27:58 +0000 (06:27 +0000)
committerDaniel Kiper <daniel.kiper@oracle.com>
Thu, 23 Jan 2025 15:15:31 +0000 (16:15 +0100)
commit0087bc6902182fe5cedce2d034c75a79cf6dd4f3
tree3ad2704c3e1f9f4c6bac60942e1256210abb0c69tree
parent2c8ac08c99466c0697f704242363fc687f492a0dcommit | diff
fs/tar: Integer overflow leads to heap OOB write

Both namesize and linksize are derived from hd.size, a 12-digit octal
number parsed by read_number(). Later direct arithmetic calculation like
"namesize + 1" and "linksize + 1" may exceed the maximum value of
grub_size_t leading to heap OOB write. This patch fixes the issue by
using grub_add() and checking for an overflow.

Fixes: CVE-2024-45780
Reported-by: Nils Langius <nils@langius.de>
Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Alec Brown <alec.r.brown@oracle.com>
grub-core/fs/tar.c diff | blob | blame | history
Mirror of https://git.savannah.gnu.org/git/grub.git