[SECURITY PATCH 100/117] kern/parser: Fix a stack buffer overflow

grub-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[SECURITY PATCH 100/117] kern/parser: Fix a stack buffer overflow

From:	Daniel Kiper
Subject:	[SECURITY PATCH 100/117] kern/parser: Fix a stack buffer overflow
Date:	Tue, 2 Mar 2021 19:01:47 +0100

From: Chris Coulson <chris.coulson@canonical.com>

grub_parser_split_cmdline() expands variable names present in the supplied
command line in to their corresponding variable contents and uses a 1 kiB
stack buffer for temporary storage without sufficient bounds checking. If
the function is called with a command line that references a variable with
a sufficiently large payload, it is possible to overflow the stack
buffer via tab completion, corrupt the stack frame and potentially
control execution.

Fixes: CVE-2020-27749

Reported-by: Chris Coulson <chris.coulson@canonical.com>
Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 grub-core/kern/parser.c | 110 +++++++++++++++++++++++++++++-------------------
 1 file changed, 67 insertions(+), 43 deletions(-)

diff --git a/grub-core/kern/parser.c b/grub-core/kern/parser.c
index e010eaa1f..6ab7aa427 100644
--- a/grub-core/kern/parser.c
+++ b/grub-core/kern/parser.c
@@ -18,6 +18,7 @@
  */
 
 #include <grub/parser.h>
+#include <grub/buffer.h>
 #include <grub/env.h>
 #include <grub/misc.h>
 #include <grub/mm.h>
@@ -107,8 +108,8 @@ check_varstate (grub_parser_state_t s)
 }
 
 
-static void
-add_var (char *varname, char **bp, char **vp,
+static grub_err_t
+add_var (grub_buffer_t varname, grub_buffer_t buf,
         grub_parser_state_t state, grub_parser_state_t newstate)
 {
   const char *val;
@@ -116,31 +117,41 @@ add_var (char *varname, char **bp, char **vp,
   /* Check if a variable was being read in and the end of the name
      was reached.  */
   if (!(check_varstate (state) && !check_varstate (newstate)))
-    return;
+    return GRUB_ERR_NONE;
 
-  *((*vp)++) = '\0';
-  val = grub_env_get (varname);
-  *vp = varname;
+  if (grub_buffer_append_char (varname, '\0') != GRUB_ERR_NONE)
+    return grub_errno;
+
+  val = grub_env_get ((const char *) grub_buffer_peek_data (varname));
+  grub_buffer_reset (varname);
   if (!val)
-    return;
+    return GRUB_ERR_NONE;
 
   /* Insert the contents of the variable in the buffer.  */
-  for (; *val; val++)
-    *((*bp)++) = *val;
+  return grub_buffer_append_data (buf, val, grub_strlen (val));
 }
 
-static void
-terminate_arg (char *buffer, char **bp, int *argc)
+static grub_err_t
+terminate_arg (grub_buffer_t buffer, int *argc)
 {
-  if (*bp != buffer && *((*bp) - 1) != '\0')
-    {
-      *((*bp)++) = '\0';
-      (*argc)++;
-    }
+  grub_size_t unread = grub_buffer_get_unread_bytes (buffer);
+
+  if (unread == 0)
+    return GRUB_ERR_NONE;
+
+  if (*(const char *) grub_buffer_peek_data_at (buffer, unread - 1) == '\0')
+    return GRUB_ERR_NONE;
+
+  if (grub_buffer_append_char (buffer, '\0') != GRUB_ERR_NONE)
+    return grub_errno;
+
+  (*argc)++;
+
+  return GRUB_ERR_NONE;
 }
 
 static grub_err_t
-process_char (char c, char *buffer, char **bp, char *varname, char **vp,
+process_char (char c, grub_buffer_t buffer, grub_buffer_t varname,
              grub_parser_state_t state, int *argc,
              grub_parser_state_t *newstate)
 {
@@ -153,12 +164,13 @@ process_char (char c, char *buffer, char **bp, char 
*varname, char **vp,
    * not describe the variable anymore, write the variable to
    * the buffer.
    */
-  add_var (varname, bp, vp, state, *newstate);
+  if (add_var (varname, buffer, state, *newstate) != GRUB_ERR_NONE)
+    return grub_errno;
 
   if (check_varstate (*newstate))
     {
       if (use)
-       *((*vp)++) = use;
+        return grub_buffer_append_char (varname, use);
     }
   else if (*newstate == GRUB_PARSER_STATE_TEXT &&
           state != GRUB_PARSER_STATE_ESC && grub_isspace (use))
@@ -167,10 +179,10 @@ process_char (char c, char *buffer, char **bp, char 
*varname, char **vp,
        * Don't add more than one argument if multiple
        * spaces are used.
        */
-      terminate_arg (buffer, bp, argc);
+      return terminate_arg (buffer, argc);
     }
   else if (use)
-    *((*bp)++) = use;
+    return grub_buffer_append_char (buffer, use);
 
   return GRUB_ERR_NONE;
 }
@@ -181,19 +193,22 @@ grub_parser_split_cmdline (const char *cmdline,
                           int *argc, char ***argv)
 {
   grub_parser_state_t state = GRUB_PARSER_STATE_TEXT;
-  /* XXX: Fixed size buffer, perhaps this buffer should be dynamically
-     allocated.  */
-  char buffer[1024];
-  char *bp = buffer;
+  grub_buffer_t buffer, varname;
   char *rd = (char *) cmdline;
   char *rp = rd;
-  char varname[200];
-  char *vp = varname;
-  char *args;
   int i;
 
   *argc = 0;
   *argv = NULL;
+
+  buffer = grub_buffer_new (1024);
+  if (buffer == NULL)
+    return grub_errno;
+
+  varname = grub_buffer_new (200);
+  if (varname == NULL)
+    goto fail;
+
   do
     {
       if (rp == NULL || *rp == '\0')
@@ -219,7 +234,7 @@ grub_parser_split_cmdline (const char *cmdline,
        {
          grub_parser_state_t newstate;
 
-         if (process_char (*rp, buffer, &bp, varname, &vp, state, argc,
+         if (process_char (*rp, buffer, varname, state, argc,
                            &newstate) != GRUB_ERR_NONE)
            goto fail;
 
@@ -230,10 +245,12 @@ grub_parser_split_cmdline (const char *cmdline,
 
   /* A special case for when the last character was part of a
      variable.  */
-  add_var (varname, &bp, &vp, state, GRUB_PARSER_STATE_TEXT);
+  if (add_var (varname, buffer, state, GRUB_PARSER_STATE_TEXT) != 
GRUB_ERR_NONE)
+    goto fail;
 
   /* Ensure that the last argument is terminated. */
-  terminate_arg (buffer, &bp, argc);
+  if (terminate_arg (buffer, argc) != GRUB_ERR_NONE)
+    goto fail;
 
   /* If there are no args, then we're done. */
   if (!*argc)
@@ -242,38 +259,45 @@ grub_parser_split_cmdline (const char *cmdline,
       goto out;
     }
 
-  /* Reserve memory for the return values.  */
-  args = grub_malloc (bp - buffer);
-  if (!args)
-    goto fail;
-  grub_memcpy (args, buffer, bp - buffer);
-
   *argv = grub_calloc (*argc + 1, sizeof (char *));
   if (!*argv)
     goto fail;
 
   /* The arguments are separated with 0's, setup argv so it points to
      the right values.  */
-  bp = args;
   for (i = 0; i < *argc; i++)
     {
-      (*argv)[i] = bp;
-      while (*bp)
-       bp++;
-      bp++;
+      char *arg;
+
+      if (i > 0)
+       {
+         if (grub_buffer_advance_read_pos (buffer, 1) != GRUB_ERR_NONE)
+           goto fail;
+       }
+
+      arg = (char *) grub_buffer_peek_data (buffer);
+      if (arg == NULL ||
+         grub_buffer_advance_read_pos (buffer, grub_strlen (arg)) != 
GRUB_ERR_NONE)
+       goto fail;
+
+      (*argv)[i] = arg;
     }
 
+  /* Keep memory for the return values. */
+  grub_buffer_take_data (buffer);
+
   grub_errno = GRUB_ERR_NONE;
 
  out:
   if (rd != cmdline)
     grub_free (rd);
+  grub_buffer_free (buffer);
+  grub_buffer_free (varname);
 
   return grub_errno;
 
  fail:
   grub_free (*argv);
-  grub_free (args);
   goto out;
 }
 
-- 
2.11.0

[Prev in Thread]

Current Thread

[Next in Thread]

[SECURITY PATCH 090/117] disk/lvm: Do not overread metadata, (continued)
- [SECURITY PATCH 090/117] disk/lvm: Do not overread metadata, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 095/117] kern/parser: Fix a memory leak, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 092/117] disk/lvm: Do not allow a LV to be it's own segment's node's LV, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 098/117] kern/parser: Refactor grub_parser_split_cmdline() cleanup, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 102/117] util/mkimage: Remove unused code to add BSS section, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 108/117] util/mkimage: Refactor section setup to use a helper, Daniel Kiper, 2021/03/02
  - Re: [SECURITY PATCH 108/117] util/mkimage: Refactor section setup to use a helper, John Paul Adrian Glaubitz, 2021/03/18
    - Re: [SECURITY PATCH 108/117] util/mkimage: Refactor section setup to use a helper, John Paul Adrian Glaubitz, 2021/03/20
    - Re: [SECURITY PATCH 108/117] util/mkimage: Refactor section setup to use a helper, John Paul Adrian Glaubitz, 2021/03/20
- [SECURITY PATCH 107/117] util/mkimage: Improve data_size value calculation, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 100/117] kern/parser: Fix a stack buffer overflow, Daniel Kiper <=
- [SECURITY PATCH 103/117] util/mkimage: Use grub_host_to_target32() instead of grub_cpu_to_le32(), Daniel Kiper, 2021/03/02
- [SECURITY PATCH 105/117] util/mkimage: Unify more of the PE32 and PE32+ header set-up, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 101/117] kern/efi: Add initial stack protector implementation, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 109/117] util/mkimage: Add an option to import SBAT metadata into a .sbat section, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 115/117] gfxmenu/gui: Check printf() format in the gui_progress_bar and gui_label, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 104/117] util/mkimage: Always use grub_host_to_target32() to initialize PE stack and heap stuff, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 112/117] kern/misc: Split parse_printf_args() into format parsing and va_list handling, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 106/117] util/mkimage: Reorder PE optional header fields set-up, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 114/117] kern/misc: Add function to check printf() format against expected format, Daniel Kiper, 2021/03/02
  - Re: [SECURITY PATCH 114/117] kern/misc: Add function to check printf() format against expected format, Colin Watson, 2021/03/17

Prev by Date: [SECURITY PATCH 107/117] util/mkimage: Improve data_size value calculation
Next by Date: [SECURITY PATCH 103/117] util/mkimage: Use grub_host_to_target32() instead of grub_cpu_to_le32()
Previous by thread: [SECURITY PATCH 107/117] util/mkimage: Improve data_size value calculation
Next by thread: [SECURITY PATCH 103/117] util/mkimage: Use grub_host_to_target32() instead of grub_cpu_to_le32()
Index(es):
- Date
- Thread