grub-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [SECURITY PATCH 100/117] kern/parser: Fix a stack buffer overflow

From: Paul Menzel
Subject: Re: [SECURITY PATCH 100/117] kern/parser: Fix a stack buffer overflow
Date: Tue, 29 Jun 2021 00:12:43 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 
Dear Daniel, dear Chris,


Am 10.06.21 um 13:55 schrieb Paul Menzel:


Am 02.03.21 um 19:01 schrieb Daniel Kiper:

From: Chris Coulson <chris.coulson@canonical.com>
grub_parser_split_cmdline() expands variable names present in the supplied 
command line in to their corresponding variable contents and uses a 1 kiB
stack buffer for temporary storage without sufficient bounds checking. If
the function is called with a command line that references a variable with 
a sufficiently large payload, it is possible to overflow the stack
buffer via tab completion, corrupt the stack frame and potentially
control execution.

Fixes: CVE-2020-27749

Reported-by: Chris Coulson <chris.coulson@canonical.com>
Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
  grub-core/kern/parser.c | 110 +++++++++++++++++++++++++++++-------------------
  1 file changed, 67 insertions(+), 43 deletions(-)

diff --git a/grub-core/kern/parser.c b/grub-core/kern/parser.c
index e010eaa1f..6ab7aa427 100644
--- a/grub-core/kern/parser.c
+++ b/grub-core/kern/parser.c
@@ -18,6 +18,7 @@
   */
  #include <grub/parser.h>
+#include <grub/buffer.h>
  #include <grub/env.h>
  #include <grub/misc.h>
  #include <grub/mm.h>
@@ -107,8 +108,8 @@ check_varstate (grub_parser_state_t s)
  }
-static void
-add_var (char *varname, char **bp, char **vp,
+static grub_err_t
+add_var (grub_buffer_t varname, grub_buffer_t buf,
       grub_parser_state_t state, grub_parser_state_t newstate)
  {
    const char *val;
@@ -116,31 +117,41 @@ add_var (char *varname, char **bp, char **vp,
    /* Check if a variable was being read in and the end of the name
       was reached.  */
    if (!(check_varstate (state) && !check_varstate (newstate)))
-    return;
+    return GRUB_ERR_NONE;
-  *((*vp)++) = '\0';
-  val = grub_env_get (varname);
-  *vp = varname;
+  if (grub_buffer_append_char (varname, '\0') != GRUB_ERR_NONE)
+    return grub_errno;
+
+  val = grub_env_get ((const char *) grub_buffer_peek_data (varname));
+  grub_buffer_reset (varname);
    if (!val)
-    return;
+    return GRUB_ERR_NONE;
    /* Insert the contents of the variable in the buffer.  */
-  for (; *val; val++)
-    *((*bp)++) = *val;
+  return grub_buffer_append_data (buf, val, grub_strlen (val));
  }
-static void
-terminate_arg (char *buffer, char **bp, int *argc)
+static grub_err_t
+terminate_arg (grub_buffer_t buffer, int *argc)
  {
-  if (*bp != buffer && *((*bp) - 1) != '\0')
-    {
-      *((*bp)++) = '\0';
-      (*argc)++;
-    }
+  grub_size_t unread = grub_buffer_get_unread_bytes (buffer);
+
+  if (unread == 0)
+    return GRUB_ERR_NONE;
+
+  if (*(const char *) grub_buffer_peek_data_at (buffer, unread - 1) == '\0') 
+    return GRUB_ERR_NONE;
+
+  if (grub_buffer_append_char (buffer, '\0') != GRUB_ERR_NONE)
+    return grub_errno;
+
+  (*argc)++;
+
+  return GRUB_ERR_NONE;
  }
  static grub_err_t
-process_char (char c, char *buffer, char **bp, char *varname, char **vp,
+process_char (char c, grub_buffer_t buffer, grub_buffer_t varname,
            grub_parser_state_t state, int *argc,
            grub_parser_state_t *newstate)
  {
@@ -153,12 +164,13 @@ process_char (char c, char *buffer, char **bp, char *varname, char **vp, 
     * not describe the variable anymore, write the variable to
     * the buffer.
     */
-  add_var (varname, bp, vp, state, *newstate);
+  if (add_var (varname, buffer, state, *newstate) != GRUB_ERR_NONE)
+    return grub_errno;
    if (check_varstate (*newstate))
      {
        if (use)
-    *((*vp)++) = use;
+        return grub_buffer_append_char (varname, use);
      }
    else if (*newstate == GRUB_PARSER_STATE_TEXT &&
         state != GRUB_PARSER_STATE_ESC && grub_isspace (use))
@@ -167,10 +179,10 @@ process_char (char c, char *buffer, char **bp, char *varname, char **vp, 
         * Don't add more than one argument if multiple
         * spaces are used.
         */
-      terminate_arg (buffer, bp, argc);
+      return terminate_arg (buffer, argc);
      }
    else if (use)
-    *((*bp)++) = use;
+    return grub_buffer_append_char (buffer, use);
    return GRUB_ERR_NONE;
  }
@@ -181,19 +193,22 @@ grub_parser_split_cmdline (const char *cmdline,
                 int *argc, char ***argv)
  {
    grub_parser_state_t state = GRUB_PARSER_STATE_TEXT;
-  /* XXX: Fixed size buffer, perhaps this buffer should be dynamically
-     allocated.  */
-  char buffer[1024];
-  char *bp = buffer;
+  grub_buffer_t buffer, varname;
    char *rd = (char *) cmdline;
    char *rp = rd;
-  char varname[200];
-  char *vp = varname;
-  char *args;
    int i;
    *argc = 0;
    *argv = NULL;
+
+  buffer = grub_buffer_new (1024);
+  if (buffer == NULL)
+    return grub_errno;
+
+  varname = grub_buffer_new (200);
+  if (varname == NULL)
+    goto fail;
+
    do
      {
        if (rp == NULL || *rp == '\0')
@@ -219,7 +234,7 @@ grub_parser_split_cmdline (const char *cmdline,
      {
        grub_parser_state_t newstate;
-      if (process_char (*rp, buffer, &bp, varname, &vp, state, argc,
+      if (process_char (*rp, buffer, varname, state, argc,
                  &newstate) != GRUB_ERR_NONE)
          goto fail;
@@ -230,10 +245,12 @@ grub_parser_split_cmdline (const char *cmdline,
    /* A special case for when the last character was part of a
       variable.  */
-  add_var (varname, &bp, &vp, state, GRUB_PARSER_STATE_TEXT);
+  if (add_var (varname, buffer, state, GRUB_PARSER_STATE_TEXT) != GRUB_ERR_NONE) 
+    goto fail;
    /* Ensure that the last argument is terminated. */
-  terminate_arg (buffer, &bp, argc);
+  if (terminate_arg (buffer, argc) != GRUB_ERR_NONE)
+    goto fail;
    /* If there are no args, then we're done. */
    if (!*argc)
@@ -242,38 +259,45 @@ grub_parser_split_cmdline (const char *cmdline,
        goto out;
      }
-  /* Reserve memory for the return values.  */
-  args = grub_malloc (bp - buffer);
-  if (!args)
-    goto fail;
-  grub_memcpy (args, buffer, bp - buffer);
-
    *argv = grub_calloc (*argc + 1, sizeof (char *));
    if (!*argv)
      goto fail;
    /* The arguments are separated with 0's, setup argv so it points to
       the right values.  */
-  bp = args;
    for (i = 0; i < *argc; i++)
      {
-      (*argv)[i] = bp;
-      while (*bp)
-    bp++;
-      bp++;
+      char *arg;
+
+      if (i > 0)
+    {
+      if (grub_buffer_advance_read_pos (buffer, 1) != GRUB_ERR_NONE)
+        goto fail;
+    }
+
+      arg = (char *) grub_buffer_peek_data (buffer);
+      if (arg == NULL ||
+      grub_buffer_advance_read_pos (buffer, grub_strlen (arg)) != GRUB_ERR_NONE) 
+    goto fail;
+
+      (*argv)[i] = arg;
      }
+  /* Keep memory for the return values. */
+  grub_buffer_take_data (buffer);
+
    grub_errno = GRUB_ERR_NONE;
   out:
    if (rd != cmdline)
      grub_free (rd);
+  grub_buffer_free (buffer);
+  grub_buffer_free (varname);
    return grub_errno;
   fail:
    grub_free (*argv);
-  grub_free (args);
    goto out;
  }
This commit causes a regresses. Building it as a coreboot payload with `-Os`, it crashes in QEMU. I am using Debian sid/unstable with GCC 10.2. 

     $ gcc --version | head -1
     gcc (Debian 10.2.1-6) 10.2.1 20210110

Build the payload `default_payload.elf`.
    $ rm -rf build && mkdir build && cd build && ../configure CFLAGS=-O2 TARGET_CFLAGS=-Os --with-platform=coreboot --with-platform=coreboot --enable-boot-time --disable-werror && make -j4 && make default_payload.elf && cd ..
Clone coreboot, run `make menuconfig`, increase the ROM size to 2 MB and under *Payload* choose *Add a payload (An ELF executable payload)*, and select `default_payload.elf`. Run `make -j$(nproc)` and run the image in QEMU: 

     $ qemu-system-i386 -enable-kvm -m 2G -bios build/coreboot.rom -serial stdio

Notice:

```
[…]
BS: BS_PAYLOAD_LOAD run times (exec / console): 44 / 12 ms
Jumping to boot code at 0x00009000(0x7ffa1000)
CPU Index 0 - APIC 0 Unexpected Exception:6 @ 10:00009016 - Halting
Code: 0 eflags: 00010002 cr2: 00000000
eax: 00000000 ebx: 7ffc39a4 ecx: 0001a9f8 edx: 000000ff
edi: 0000000b esi: 000001e4 ebp: 7ffc8fd8 esp: 7ffc8f7c

0x00008fd0:    00 00 00 00 00 00 00 00
0x00008fd8:    00 00 00 00 00 00 00 00
0x00008fe0:    00 00 00 00 00 00 00 00
0x00008fe8:    00 00 00 00 00 00 00 00
0x00008ff0:    00 00 00 00 00 00 00 00
0x00008ff8:    00 00 00 00 00 00 00 00
0x00009000:    52 52 68 f8 a9 01 00 6a
0x00009008:    0b e8 23 cd 00 00 83 c4
0x00009010:    10 a0 00 00 00 00 0f 0b
0x00009018:    51 51 68 0a aa 01 00 6a
0x00009020:    0b e8 0b cd 00 00 83 c4
0x00009028:    10 eb e6 90 bc f0 ff 07
0x00009030:    00 e9 64 d7 00 00 66 90
0x00009038:    02 b0 ad 1b 02 00 00 00
0x00009040:    fc 4f 52 e4 55 57 56 53
0x00009048:    83 ec 1c 8b 4c 24 30 8b
0x7ffc8ff8:    0x7ffc33e0
0x7ffc8ff4:    0xdeadbeef
0x7ffc8ff0:    0xdeadbeef
0x7ffc8fec:    0x7ffaa05f
0x7ffc8fe8:    0xdeadbeef
0x7ffc8fe4:    0xdeadbeef
0x7ffc8fe0:    0xdeadbeef
0x7ffc8fdc:    0x7ffaa05f
0x7ffc8fd8:    0x7ffdcfe8 <-ebp
0x7ffc8fd4:    0x7ffc9000
0x7ffc8fd0:    0x00000000
0x7ffc8fcc:    0x00000000
0x7ffc8fc8:    0x7ffc8ff0
0x7ffc8fc4:    0xdeadbeef
0x7ffc8fc0:    0xdeadbeef
0x7ffc8fbc:    0x7ffae54a
0x7ffc8fb8:    0x7ffc8fd8
0x7ffc8fb4:    0x0000000b
0x7ffc8fb0:    0x00000000
0x7ffc8fac:    0x7ffae55e
0x7ffc8fa8:    0x7ffc39a4
0x7ffc8fa4:    0x0000000b
0x7ffc8fa0:    0x000001b8
0x7ffc8f9c:    0x7ffae401
0x7ffc8f98:    0x7ffc3978
0x7ffc8f94:    0x18cd145c
0x7ffc8f90:    0x0000007b
0x7ffc8f8c:    0x7ffa1000
0x7ffc8f88:    0x00009000
0x7ffc8f84:    0x00000000
0x7ffc8f80:    0x7ffa1000
0x7ffc8f7c:    0x7ffb040d <-esp
```


Just a gentle ping regarding this regression.


Kind regards,

Paul
reply via email to
[Prev in Thread] Current Thread [Next in Thread]