fs: Prevent overflows when allocating memory for arrays

Use grub_calloc() when allocating memory for arrays to ensure proper
overflow checks are in place.

The HFS+ and squash4 security vulnerabilities were reported by
Jonathan Bar Or <jonathanbaror@gmail.com>.

Fixes: CVE-2025-0678
Fixes: CVE-2025-1125
Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c
index 0625b116609549b5b7e56f0d94ea0b9244d81534..9c1e925c92e75be214767c419b06a4bc7679c546 100644 (file)
--- a/grub-core/fs/btrfs.c
+++ b/grub-core/fs/btrfs.c
@@ -1276,8 +1276,8 @@ grub_btrfs_mount (grub_device_t dev)
     }
 
   data->n_devices_allocated = 16;
-  data->devices_attached = grub_malloc (sizeof (data->devices_attached[0])
-                                       * data->n_devices_allocated);
+  data->devices_attached = grub_calloc (data->n_devices_allocated,
+                                       sizeof (data->devices_attached[0]));
   if (!data->devices_attached)
     {
       grub_free (data);

diff --git a/grub-core/fs/hfspluscomp.c b/grub-core/fs/hfspluscomp.c
index 48ae438d85018cd94cd2bc076545b790a9f338e3..a80954ee61d91c213bae66eb343f346298fc1baa 100644 (file)
--- a/grub-core/fs/hfspluscomp.c
+++ b/grub-core/fs/hfspluscomp.c
@@ -244,14 +244,19 @@ hfsplus_open_compressed_real (struct grub_hfsplus_file *node)
          return 0;
        }
       node->compress_index_size = grub_le_to_cpu32 (index_size);
-      node->compress_index = grub_malloc (node->compress_index_size
-                                         * sizeof (node->compress_index[0]));
+      node->compress_index = grub_calloc (node->compress_index_size,
+                                         sizeof (node->compress_index[0]));
       if (!node->compress_index)
        {
          node->compressed = 0;
          grub_free (attr_node);
          return grub_errno;
        }
+
+      /*
+       * The node->compress_index_size * sizeof (node->compress_index[0]) is safe here
+       * due to relevant checks done in grub_calloc() above.
+       */
       if (grub_hfsplus_read_file (node, 0, 0,
                                  0x104 + sizeof (index_size),
                                  node->compress_index_size

diff --git a/grub-core/fs/squash4.c b/grub-core/fs/squash4.c
index f91ff3bfa8c6ed32ac940abf665d3213a7dd1775..cf2bca8221ebcba5b4ace6e8c36dceef62afd5d9 100644 (file)
--- a/grub-core/fs/squash4.c
+++ b/grub-core/fs/squash4.c
@@ -822,10 +822,10 @@ direct_read (struct grub_squash_data *data,
          break;
        }
       total_blocks = ((total_size + data->blksz - 1) >> data->log2_blksz);
-      ino->block_sizes = grub_malloc (total_blocks
-                                     * sizeof (ino->block_sizes[0]));
-      ino->cumulated_block_sizes = grub_malloc (total_blocks
-                                               * sizeof (ino->cumulated_block_sizes[0]));
+      ino->block_sizes = grub_calloc (total_blocks,
+                                     sizeof (ino->block_sizes[0]));
+      ino->cumulated_block_sizes = grub_calloc (total_blocks,
+                                               sizeof (ino->cumulated_block_sizes[0]));
       if (!ino->block_sizes || !ino->cumulated_block_sizes)
        {
          grub_free (ino->block_sizes);