unix/config: Fix integer overflow in grub_util_load_config

This adjusts Debian's /etc/default/grub.d/*.cfg patch to perform safe allocation. Signed-off-by: Colin Watson <cjwatson@debian.org> Patch-Name: unix-config-overflow.patch

unix/config: Fix integer overflow in grub_util_load_config
This adjusts Debian's /etc/default/grub.d/*.cfg patch to perform safe allocation. Signed-off-by: Colin Watson <cjwatson@debian.org> Patch-Name: unix-config-overflow.patch
a0c8532b · Colin Watson · d8c9aaa7 · a0c8532b
Commit a0c8532b authored 4 years ago by Colin Watson
--- a/grub-core/osdep/unix/config.c
+++ b/grub-core/osdep/unix/config.c
@@ -25,6 +25,7 @@
 #include <grub/util/install.h>
 #include <grub/util/misc.h>
 #include <grub/list.h>
+#include <grub/safemath.h>
 #include <assert.h>
 #include <string.h>
 #include <sys/types.h>
@@ -101,8 +102,14 @@ grub_util_load_config (struct grub_util_config *cfg)
  cfgfile = grub_util_get_config_filename ();
  if (grub_util_is_regular (cfgfile))
    {
+      size_t sz;
+
      ++num_cfgpaths;
-      len_cfgpaths += strlen (cfgfile) * 4 + sizeof (". ''; ") - 1;
+      sz = strlen (cfgfile);
+      if (grub_mul (sz, 4, &sz) ||
+	  grub_add (sz, sizeof (". ''; ") - 1, &sz) ||
+	  grub_add (len_cfgpaths, sz, &len_cfgpaths))
+	grub_util_error ("%s", _("overflow is detected"));
    }

  cfgdir = xasprintf ("%s.d", cfgfile);
@@ -114,6 +121,7 @@ grub_util_load_config (struct grub_util_config *cfg)
      while ((de = grub_util_fd_readdir (d)))
 	{
 	  const char *ext = strrchr (de->d_name, '.');
+	  size_t sz;

 	  if (!ext || strcmp (ext, ".cfg") != 0)
 	    continue;
@@ -122,7 +130,11 @@ grub_util_load_config (struct grub_util_config *cfg)
 	  cfgpath->path = grub_util_path_concat (2, cfgdir, de->d_name);
 	  grub_list_push (GRUB_AS_LIST_P (&cfgpaths), GRUB_AS_LIST (cfgpath));
 	  ++num_cfgpaths;
-	  len_cfgpaths += strlen (cfgpath->path) * 4 + sizeof (". ''; ") - 1;
+	  sz = strlen (cfgpath->path);
+	  if (grub_mul (sz, 4, &sz) ||
+	      grub_add (sz, sizeof (". ''; ") - 1, &sz) ||
+	      grub_add (len_cfgpaths, sz, &len_cfgpaths))
+	    grub_util_error ("%s", _("overflow is detected"));
 	}
      grub_util_fd_closedir (d);
    }
@@ -130,7 +142,7 @@ grub_util_load_config (struct grub_util_config *cfg)
  if (num_cfgpaths == 0)
    goto out;

-  sorted_cfgpaths = xmalloc (num_cfgpaths * sizeof (*sorted_cfgpaths));
+  sorted_cfgpaths = xcalloc (num_cfgpaths, sizeof (*sorted_cfgpaths));
  i = 0;
  if (grub_util_is_regular (cfgfile))
    sorted_cfgpaths[i++] = xstrdup (cfgfile);
@@ -146,7 +158,9 @@ grub_util_load_config (struct grub_util_config *cfg)
  argv[0] = "sh";
  argv[1] = "-c";

-  script = xmalloc (len_cfgpaths + 300);
+  if (grub_add (len_cfgpaths, 300, &len_cfgpaths))
+    grub_util_error ("%s", _("overflow is detected"));
+  script = xmalloc (len_cfgpaths);

  ptr = script;
  for (i = 0; i < num_cfgpaths; i++)