From: Daniel Axtens Date: Fri, 22 Jan 2021 06:10:48 +0000 (+1100) Subject: commands/menuentry: Fix quoting in setparams_prefix() X-Git-Tag: grub-2.06-rc1~78 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2f533a89a8dfcacbf2c9dbc77d910f111f24bf33;p=thirdparty%2Fgrub.git commands/menuentry: Fix quoting in setparams_prefix() Commit 9acdcbf32542 (use single quotes in menuentry setparams command) says that expressing a quoted single quote will require 3 characters. It actually requires (and always did require!) 4 characters: str: a'b => a'\''b len: 3 => 6 (2 for the letters + 4 for the quote) This leads to not allocating enough memory and thus out of bounds writes that have been observed to cause heap corruption. Allocate 4 bytes for each single quote. Commit 22e7dbb2bb81 (Fix quoting in legacy parser.) does the same quoting, but it adds 3 as extra overhead on top of the single byte that the quote already needs. So it's correct. Fixes: 9acdcbf32542 (use single quotes in menuentry setparams command) Fixes: CVE-2021-20233 Reported-by: Daniel Axtens Signed-off-by: Daniel Axtens Reviewed-by: Daniel Kiper --- diff --git a/grub-core/commands/menuentry.c b/grub-core/commands/menuentry.c index 9164df744..720e6d8ea 100644 --- a/grub-core/commands/menuentry.c +++ b/grub-core/commands/menuentry.c @@ -230,7 +230,7 @@ setparams_prefix (int argc, char **args) len += 3; /* 3 = 1 space + 2 quotes */ p = args[i]; while (*p) - len += (*p++ == '\'' ? 3 : 1); + len += (*p++ == '\'' ? 4 : 1); } result = grub_malloc (len + 2);