[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] envblk: Fix buffer overrun when attempting to shrink a varia
|
From: |
Daniel Kiper |
|
Subject: |
Re: [PATCH] envblk: Fix buffer overrun when attempting to shrink a variable value |
|
Date: |
Wed, 13 May 2020 14:38:13 +0200 |
|
User-agent: |
NeoMutt/20170113 (1.7.2) |
On Tue, May 12, 2020 at 02:32:25PM +0200, Javier Martinez Canillas wrote:
> If an existing variable is set with a value whose length is smaller than
> the current value, a memory corruption can happen due copying padding '#'
> characters outside of the environment block buffer.
>
> This is caused by a wrong calculation of the previous free space position
> after moving backward the characters that followed the old variable value.
>
> That position is calculated to fill the remaining of the buffer with the
> padding '#' characters. But since isn't calculated correctly, it can lead
> to copies outside of the buffer.
>
> The issue can be reproduced by creating a variable with a large value and
> then try to set a new value that is much smaller:
>
> $ grub2-editenv --version
> grub2-editenv (GRUB) 2.04
>
> $ grub2-editenv env create
>
> $ grub2-editenv env set a="$(for i in {1..500}; do var="b$var"; done; echo
> $var)"
>
> $ wc -c env
> 1024 grubenv
>
> $ grub2-editenv env set a="$(for i in {1..50}; do var="b$var"; done; echo
> $var)"
> malloc(): corrupted top size
> Aborted (core dumped)
>
> $ wc -c env
> 0 grubenv
>
> Reported-by: Renaud Métrich <address@hidden>
> Signed-off-by: Javier Martinez Canillas <address@hidden>
Reviewed-by: Daniel Kiper <address@hidden>
Daniel