Message ID | 20190315103909.4156-1-sbabic@denx.de |
---|---|
State | Accepted |
Headers | show
Return-Path: <swupdate+bncBCXPLOXJ6IKRBU4BV3SAKGQEKFL6JII@googlegroups.com> X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=googlegroups.com (client-ip=2a00:1450:4864:20::53f; helo=mail-ed1-x53f.google.com; envelope-from=swupdate+bncbcxploxj6ikrbu4bv3sakgqekfl6jii@googlegroups.com; receiver=<UNKNOWN>) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=denx.de Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=googlegroups.com header.i=@googlegroups.com header.b="rz8qwwfs"; dkim-atps=neutral Received: from mail-ed1-x53f.google.com (mail-ed1-x53f.google.com [IPv6:2a00:1450:4864:20::53f]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 44LMWp5xsJz9s3q for <incoming@patchwork.ozlabs.org>; Fri, 15 Mar 2019 21:39:18 +1100 (AEDT) Received: by mail-ed1-x53f.google.com with SMTP id p5sf3681067edh.2 for <incoming@patchwork.ozlabs.org>; Fri, 15 Mar 2019 03:39:18 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1552646355; cv=pass; d=google.com; s=arc-20160816; b=ZRJz5EV/F7P1f9+uNqXK3wQSS+3A1Fdph5S1R2bn0iXmCBTGtKo13pdH8aH2amQ/Ko 1Sa9PdJm9wDpJ72MTIg5BapFd6bKSPcRxn5Ep6K82xPQx6YJR9g48BJ11Yd6eKjYAy7y WGDFJiciqoEc+6DmnqoIv9h2Bi8LEQM/VjbT1clJz/zGknlAa+jsh38Hiy2Ju3U8vLA7 cfq6eDdi7k0uhHxmPRVdxioSCMAXIPrvuKeHWCUD4/k6mJBIBsoRlLVUGbE3YZwIvySM CP7pHLZjk7zVbIQD6yb5zim61RrdYDVKVx/Y2wi5tBJuHUqvQJ7StpPwLLVNz+rZ43oU v8ag== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:message-id:date:subject:cc:to:from :mime-version:sender:dkim-signature; bh=VJjEKoCBYOStOpD/PpOrpMCe1bUPnYk1pVIzI+om15I=; b=TIXPW/qM6JsacskPWUIncjA4Rga6ev/Q28FkoJphrfvsdFO3Fq/xp39/hdvJYphFM/ 9o+RQNzmxs0KLlVG19+cJurkQ9mkhp0dXtjEwCMBzqeyipkid1Q1pD3Ta/tIVlAvgfSS a46oD6Zp29/ATateqVCtS4pFz7wCYHP3pWj8AqwFkpz5PEmIV8kym0Ma8A9m7eqV4vVN oZGsbQ7d8JUgU+ZCwB8JVsUieqEBFFifN9nS+RjMtcLueOao3giHTKxHwGJUAgEf8PMg SPE1vU75REpw1nVLQLDPzT8KkjcxR6IvLeA4MRt/pKK5awNPkwkCLnUqud/wX8432K/C 3Gsg== ARC-Authentication-Results: i=2; gmr-mx.google.com; spf=neutral (google.com: 2001:a60:0:28:0:1:25:1 is neither permitted nor denied by best guess record for domain of sbabic@denx.de) smtp.mailfrom=sbabic@denx.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20161025; h=sender:mime-version:from:to:cc:subject:date:message-id :x-original-sender:x-original-authentication-results:precedence :mailing-list:list-id:list-post:list-help:list-archive :list-subscribe:list-unsubscribe; bh=VJjEKoCBYOStOpD/PpOrpMCe1bUPnYk1pVIzI+om15I=; b=rz8qwwfsCwANmrcBFNDsVCsjUmT1PVYhkx5G99HqPVP9YANzClTRwUF1Q2c5b/zdkB WR85JSfDWQANsfTjF0y/5yPdnDIghLQWIlx9clW3pZirWtJ5jc1Qg5pJT4BzuE0M7FXi yrRU+xuVsUaHFvj6BlURkPPiKbAPXs7Vl4qRAs34T5ZNk4EsyjNRJirGjHfcWoj39lxW A8oHdZckpfivHPyVZT4Joy3EjzZoizYb5aNTspG4dMOoWhiJYjHD77Czcdrxu4kCozqB K5pqSNF/A0RC8QZWCt2nGp27boQ0ZY3va8fc3vnN4t9rTyY8zlP4IZjD7Lt58AIgSZoT kp9g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=sender:x-gm-message-state:mime-version:from:to:cc:subject:date :message-id:x-original-sender:x-original-authentication-results :precedence:mailing-list:list-id:x-spam-checked-in-group:list-post :list-help:list-archive:list-subscribe:list-unsubscribe; bh=VJjEKoCBYOStOpD/PpOrpMCe1bUPnYk1pVIzI+om15I=; b=kw2BXX8AoHp2dwWRM7Tig44/AdlF/3umwBIfpTRktd6hPott1fnTH29hayRWmKfXtF kAD4xQTPe0Q/Yx96lbaC2q0Cf6iT/PBMjx0OAmzha0RDJBw56DyAEcFgCRR9+66C1bCj ernTKVnva8T83AKYjIfsM0ONMgzO31HBdfHlwBATvPQcFqa57tNh1o4D5HNCCHXRyrcX nXUaabcDoSRlaP2yRU67pNJ0GOTkJ4DrpQzHmJU7mxRscYTLzlU0OrIUjAdLba0rK9B6 EYnZDGs+ElZSAeUuSceXa5iOMvAtDJTVHWP1BlUMhKFwKIpUBZUIYfkbQRDKTjL2xiWL wleA== Sender: swupdate@googlegroups.com X-Gm-Message-State: APjAAAWFRbFRSeWAv1YgTneD8vN27uYDNyNj6bxQWIGdAxR25fRWJR5J locUN/ugra+bgVgT4Ol98nk= X-Google-Smtp-Source: APXvYqyqmUx1h+DQuQxx6GsrKvNWhoiLmSr9g4ZsS84lLVslgYT0aTgI1RhrMbLvNQMJs7pjt3l9Mg== X-Received: by 2002:a50:ae63:: with SMTP id c90mr2193402edd.285.1552646355772; Fri, 15 Mar 2019 03:39:15 -0700 (PDT) MIME-Version: 1.0 X-BeenThere: swupdate@googlegroups.com Received: by 2002:a50:adba:: with SMTP id a55ls2223222edd.4.gmail; Fri, 15 Mar 2019 03:39:15 -0700 (PDT) X-Received: by 2002:a50:addd:: with SMTP id b29mr351745edd.11.1552646355323; Fri, 15 Mar 2019 03:39:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1552646355; cv=none; d=google.com; s=arc-20160816; b=HRBp6VyDNXd9wU2qDDHMSonUwlrZDphAvbUXM33coBLzxFedSUBxFkMOWpG//4wVAf beUS6pNTKPLo8Vo525MVVa7rnIu31AASHjT+hGrerK0yt3Nzt3kMtyjUtphBioYIru84 nGVzKCe0rIjrxFJdQ0St9tRvdvBZ3mlKH8HR4ZaBsFDuEkbSqVp27/sQ+KzsvEqYvVTF utsEfgjD94M8Pb0b3rqcv8K+Uh3alRng5cJhMq6c/wLllkgrfFMJP6GJrlZahfJVvAHX /VvT7Evp7reG0Hx+jHHytDqrM83HXH7IOpw2w6mqAJpP9cJI6jop1XU/6l12j1ldECi4 MxUQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=message-id:date:subject:cc:to:from; bh=qYNOuy30KjsGF1qKjolgKp/K2Fr4FmYKzD9ZgxM98co=; b=dxOoXppZDFn6MYFN25RDT8skRHpal6AqAaWGCONZbIvLGoWIDGC7Kn15781K2Ja7IF TNESFHQiBE6ge98Hb1k4qLR7n7ulBKKpBO3kpEWbJGY/+ofJ9b70KjFIoGMN4QMycZKu GinL0SAJKsCNdxTHDhkqtg3HYaoj2iEIG52Ge+jxwV0OdhfCR+GgwYApW7qGc1XPx3e+ 1Erod1Ez2nYu/vi3Pn1jYlibIhv/rTOeSByTxBt2lWsfyEBuaBXb3QmIVBBNxKkvBaaQ sAat4KqsS+CCDCHdfB2Uomitnqe4J/6p5xrxKEScRDBV5GJKYPy0uOkfqfiuAvAY2C3L oJTA== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=neutral (google.com: 2001:a60:0:28:0:1:25:1 is neither permitted nor denied by best guess record for domain of sbabic@denx.de) smtp.mailfrom=sbabic@denx.de Received: from mail-out.m-online.net (mail-out.m-online.net. [2001:a60:0:28:0:1:25:1]) by gmr-mx.google.com with ESMTPS id h5si77937ejq.0.2019.03.15.03.39.15 for <swupdate@googlegroups.com> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 15 Mar 2019 03:39:15 -0700 (PDT) Received-SPF: neutral (google.com: 2001:a60:0:28:0:1:25:1 is neither permitted nor denied by best guess record for domain of sbabic@denx.de) client-ip=2001:a60:0:28:0:1:25:1; Received: from frontend01.mail.m-online.net (unknown [192.168.8.182]) by mail-out.m-online.net (Postfix) with ESMTP id 44LMWl0WLZz1r8vc; Fri, 15 Mar 2019 11:39:15 +0100 (CET) Received: from localhost (dynscan1.mnet-online.de [192.168.6.70]) by mail.m-online.net (Postfix) with ESMTP id 44LMWl0FKkz1qr5w; Fri, 15 Mar 2019 11:39:15 +0100 (CET) X-Virus-Scanned: amavisd-new at mnet-online.de Received: from mail.mnet-online.de ([192.168.8.182]) by localhost (dynscan1.mail.m-online.net [192.168.6.70]) (amavisd-new, port 10024) with ESMTP id VGtu64lzTPSj; Fri, 15 Mar 2019 11:39:13 +0100 (CET) Received: from babic.homelinux.org (host-88-217-136-221.customer.m-online.net [88.217.136.221]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.mnet-online.de (Postfix) with ESMTPS; Fri, 15 Mar 2019 11:39:13 +0100 (CET) Received: from localhost (mail.babic.homelinux.org [127.0.0.1]) by babic.homelinux.org (Postfix) with ESMTP id 1C676454037F; Fri, 15 Mar 2019 11:39:13 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at babic.homelinux.org Received: from babic.homelinux.org ([127.0.0.1]) by localhost (mail.babic.homelinux.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hb9grBcPDJWd; Fri, 15 Mar 2019 11:39:10 +0100 (CET) Received: from papero.fritz.box (papero.fritz.box [192.168.178.132]) by babic.homelinux.org (Postfix) with ESMTP id A04224540256; Fri, 15 Mar 2019 11:39:10 +0100 (CET) From: Stefano Babic <sbabic@denx.de> To: swupdate@googlegroups.com Cc: Stefano Babic <sbabic@denx.de> Subject: [swupdate] [PATCH] BUG: buffer overflow in grub env code Date: Fri, 15 Mar 2019 11:39:09 +0100 Message-Id: <20190315103909.4156-1-sbabic@denx.de> X-Mailer: git-send-email 2.17.1 X-Original-Sender: sbabic@denx.de X-Original-Authentication-Results: gmr-mx.google.com; spf=neutral (google.com: 2001:a60:0:28:0:1:25:1 is neither permitted nor denied by best guess record for domain of sbabic@denx.de) smtp.mailfrom=sbabic@denx.de Content-Type: text/plain; charset="UTF-8" Precedence: list Mailing-list: list swupdate@googlegroups.com; contact swupdate+owners@googlegroups.com List-ID: <swupdate.googlegroups.com> X-Spam-Checked-In-Group: swupdate@googlegroups.com X-Google-Group-Id: 605343134186 List-Post: <https://groups.google.com/group/swupdate/post>, <mailto:swupdate@googlegroups.com> List-Help: <https://groups.google.com/support/>, <mailto:swupdate+help@googlegroups.com> List-Archive: <https://groups.google.com/group/swupdate List-Subscribe: <https://groups.google.com/group/swupdate/subscribe>, <mailto:swupdate+subscribe@googlegroups.com> List-Unsubscribe: <mailto:googlegroups-manage+605343134186+unsubscribe@googlegroups.com>, <https://groups.google.com/group/swupdate/subscribe> |
Series |
BUG: buffer overflow in grub env code
|
expand
|
diff --git a/bootloader/grub.c b/bootloader/grub.c index 414c759..6a03d2b 100644 --- a/bootloader/grub.c +++ b/bootloader/grub.c @@ -165,7 +165,7 @@ static inline void grubenv_update_size(struct grubenv_t *grubenv) static int grubenv_write(struct grubenv_t *grubenv) { FILE *fp = NULL; - char *buf = NULL, *ptr, line[SWUPDATE_GENERAL_STRING_SIZE]; + char *buf = NULL, *ptr; struct dict_entry *grubvar; int ret = 0, llen = 0; @@ -198,11 +198,17 @@ static int grubenv_write(struct grubenv_t *grubenv) LIST_FOREACH(grubvar, &grubenv->vars, next) { char *key = dict_entry_get_key(grubvar); char *value = dict_entry_get_value(grubvar); + char *tmp; llen = strlen(key) + strlen(value) + 2; /* +1 for null termination */ - snprintf(line, llen + 1, "%s=%s\n", key, value); - strncat(buf, line, llen); + ret = asprintf(&tmp, "%s=%s\n", key, value); + if (ret == ENOMEM_ASPRINTF) { + ERROR("OOM when copying Grub Env"); + goto cleanup; + } + strncat(buf, tmp, llen); + free(tmp); } /* # chars starts there */
The size is estimated before iterating the variables, but then each variable is copied in a fixed-size buffer (256 bytes). If a variable is larger as 256 bytes, a buffer overflow happens. Signed-off-by: Stefano Babic <sbabic@denx.de> --- bootloader/grub.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-)