From: Alec Brown <alec.r.brown@oracle.com>
Date: Fri, 14 Oct 2022 21:47:08 +0000 (-0400)
Subject: disk/cryptodisk: Fix unintentional integer overflow
X-Git-Tag: grub-2.12-rc1~247
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c76a07e15f09e7d06bb3c30666caa35f13d8b3a7;p=thirdparty%2Fgrub.git

disk/cryptodisk: Fix unintentional integer overflow

In the function grub_cryptodisk_endecrypt(), a for loop is incrementing the
variable i by (1U << log_sector_size). The variable i is of type grub_size_t
which is a 64-bit unsigned integer on x86_64 architecture. On the other hand, 1U
is a 32-bit unsigned integer. By performing a left shift on a 32-bit value and
assigning it to a 64-bit variable, the 64-bit variable may have incorrect values
in the high 32-bits if the shift has an overflow. To avoid this, we replace 1U
with (grub_size_t)1.

Fixes: CID 307788

Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Patrick Steinhardt <ps@pks.im>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---

diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
index a4cd8445f..14308822a 100644
--- a/grub-core/disk/cryptodisk.c
+++ b/grub-core/disk/cryptodisk.c
@@ -262,7 +262,7 @@ grub_cryptodisk_endecrypt (struct grub_cryptodisk *dev,
     return (do_encrypt ? grub_crypto_ecb_encrypt (dev->cipher, data, data, len)
 	    : grub_crypto_ecb_decrypt (dev->cipher, data, data, len));
 
-  for (i = 0; i < len; i += (1U << log_sector_size))
+  for (i = 0; i < len; i += ((grub_size_t) 1 << log_sector_size))
     {
       grub_size_t sz = ((dev->cipher->cipher->blocksize
 			 + sizeof (grub_uint32_t) - 1)