From: Lidong Chen <lidong.chen@oracle.com>
Date: Thu, 5 Jun 2025 05:03:19 +0000 (+0000)
Subject: osdep/unix/hostdisk: Fix signed integer overflow
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=86e8f2c4b021c854d14d32e1bce1576dcab7c14c;p=thirdparty%2Fgrub.git

osdep/unix/hostdisk: Fix signed integer overflow

The potential overflow issue arises at "size += ret;" because "size"
is of type ssize_t (signed) while "len" is size_t (unsigned). Repeatedly
adding read sizes, "ret", to "size" can potentially exceed the maximum
value of ssize_t, causing it to overflow into a negative or incorrect value.
The fix is to ensure "len" is within the range of SSIZE_MAX.

Fixes: CID 473850
Fixes: CID 473863

Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---

diff --git a/grub-core/osdep/unix/hostdisk.c b/grub-core/osdep/unix/hostdisk.c
index 3a00d7451..353db01f6 100644
--- a/grub-core/osdep/unix/hostdisk.c
+++ b/grub-core/osdep/unix/hostdisk.c
@@ -101,6 +101,9 @@ grub_util_fd_read (grub_util_fd_t fd, char *buf, size_t len)
 {
   ssize_t size = 0;
 
+  if (len > SSIZE_MAX)
+    return -1;
+
   while (len)
     {
       ssize_t ret = read (fd, buf, len);
@@ -131,6 +134,9 @@ grub_util_fd_write (grub_util_fd_t fd, const char *buf, size_t len)
 {
   ssize_t size = 0;
 
+  if (len > SSIZE_MAX)
+    return -1;
+
   while (len)
     {
       ssize_t ret = write (fd, buf, len);