git.ipfire.org Git - thirdparty/grub.git/commit

author	B Horn <b@horn.uk>
	Thu, 18 Apr 2024 14:59:26 +0000 (15:59 +0100)
committer	Daniel Kiper <daniel.kiper@oracle.com>
	Thu, 13 Feb 2025 14:45:55 +0000 (15:45 +0100)
commit	500e5fdd82ca40412b0b73f5e5dda38e4a3af96d
tree	49f4ae376e093842a1479480c35a212cc7fd1f36	tree
parent	2c34af908ebf4856051ed29e46d88abd2b20387f	commit \| diff

kern/dl: Fix for an integer overflow in grub_dl_ref()

It was possible to overflow the value of mod->ref_count, a signed
integer, by repeatedly invoking insmod on an already loaded module.
This led to a use-after-free. As once ref_count was overflowed it became
possible to unload the module while there was still references to it.

This resolves the issue by using grub_add() to check if the ref_count
will overflow and then stops further increments. Further changes were
also made to grub_dl_unref() to check for the underflow condition and
the reference count was changed to an unsigned 64-bit integer.

Reported-by: B Horn <b@horn.uk>
Signed-off-by: B Horn <b@horn.uk>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

grub-core/commands/minicmd.c		diff \| blob \| blame \| history
grub-core/kern/dl.c		diff \| blob \| blame \| history
include/grub/dl.h		diff \| blob \| blame \| history
util/misc.c		diff \| blob \| blame \| history