From: Jonathan Bar Or Date: Thu, 23 Jan 2025 18:17:05 +0000 (+0100) Subject: commands/read: Fix an integer overflow when supplying more than 2^31 characters X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dad8f502974ed9ad0a70ae6820d17b4b142558fc;p=thirdparty%2Fgrub.git commands/read: Fix an integer overflow when supplying more than 2^31 characters The grub_getline() function currently has a signed integer variable "i" that can be overflown when user supplies more than 2^31 characters. It results in a memory corruption of the allocated line buffer as well as supplying large negative values to grub_realloc(). Fixes: CVE-2025-0690 Reported-by: Jonathan Bar Or Signed-off-by: Jonathan Bar Or Reviewed-by: Daniel Kiper --- diff --git a/grub-core/commands/read.c b/grub-core/commands/read.c index 597c90706..8d72e45c9 100644 --- a/grub-core/commands/read.c +++ b/grub-core/commands/read.c @@ -25,6 +25,7 @@ #include #include #include +#include GRUB_MOD_LICENSE ("GPLv3+"); @@ -37,13 +38,14 @@ static const struct grub_arg_option options[] = static char * grub_getline (int silent) { - int i; + grub_size_t i; char *line; char *tmp; int c; + grub_size_t alloc_size; i = 0; - line = grub_malloc (1 + i + sizeof('\0')); + line = grub_malloc (1 + sizeof('\0')); if (! line) return NULL; @@ -59,8 +61,17 @@ grub_getline (int silent) line[i] = (char) c; if (!silent) grub_printf ("%c", c); - i++; - tmp = grub_realloc (line, 1 + i + sizeof('\0')); + if (grub_add (i, 1, &i)) + { + grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); + return NULL; + } + if (grub_add (i, 1 + sizeof('\0'), &alloc_size)) + { + grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); + return NULL; + } + tmp = grub_realloc (line, alloc_size); if (! tmp) { grub_free (line);