From dad8f502974ed9ad0a70ae6820d17b4b142558fc Mon Sep 17 00:00:00 2001 From: Jonathan Bar Or Date: Thu, 23 Jan 2025 19:17:05 +0100 Subject: [PATCH] commands/read: Fix an integer overflow when supplying more than 2^31 characters The grub_getline() function currently has a signed integer variable "i" that can be overflown when user supplies more than 2^31 characters. It results in a memory corruption of the allocated line buffer as well as supplying large negative values to grub_realloc(). Fixes: CVE-2025-0690 Reported-by: Jonathan Bar Or Signed-off-by: Jonathan Bar Or Reviewed-by: Daniel Kiper CVE: CVE-2025-0690 Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=dad8f502974ed9ad0a70ae6820d17b4b142558fc] Signed-off-by: Hitendra Prajapati --- grub-core/commands/read.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/grub-core/commands/read.c b/grub-core/commands/read.c index fe3e88b..f3ff826 100644 --- a/grub-core/commands/read.c +++ b/grub-core/commands/read.c @@ -25,19 +25,21 @@ #include #include #include +#include GRUB_MOD_LICENSE ("GPLv3+"); static char * grub_getline (void) { - int i; + grub_size_t i; char *line; char *tmp; char c; + grub_size_t alloc_size; i = 0; - line = grub_malloc (1 + i + sizeof('\0')); + line = grub_malloc (1 + sizeof('\0')); if (! line) return NULL; @@ -50,8 +52,17 @@ grub_getline (void) line[i] = c; if (grub_isprint (c)) grub_printf ("%c", c); - i++; - tmp = grub_realloc (line, 1 + i + sizeof('\0')); + if (grub_add (i, 1, &i)) + { + grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); + return NULL; + } + if (grub_add (i, 1 + sizeof('\0'), &alloc_size)) + { + grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); + return NULL; + } + tmp = grub_realloc (line, alloc_size); if (! tmp) { grub_free (line); -- 2.25.1