| 123456789101112131415161718192021222324252627282930313233343536 |
- From ab0f52dadcda56782b3e82be0b15fa6eb0e9cee1 Mon Sep 17 00:00:00 2001
- From: B Horn <b@horn.uk>
- Date: Sun, 12 May 2024 02:03:33 +0100
- Subject: [PATCH] fs/ufs: Fix a heap OOB write
- grub_strcpy() was used to copy a symlink name from the filesystem
- image to a heap allocated buffer. This led to a OOB write to adjacent
- heap allocations. Fix by using grub_strlcpy().
- Fixes: CVE-2024-45781
- Reported-by: B Horn <b@horn.uk>
- Signed-off-by: B Horn <b@horn.uk>
- Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
- Upstream: c1a291b01f4f1dcd6a22b61f1c81a45a966d16ba
- Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
- ---
- grub-core/fs/ufs.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
- diff --git a/grub-core/fs/ufs.c b/grub-core/fs/ufs.c
- index a354c92d9..01235101b 100644
- --- a/grub-core/fs/ufs.c
- +++ b/grub-core/fs/ufs.c
- @@ -463,7 +463,7 @@ grub_ufs_lookup_symlink (struct grub_ufs_data *data, int ino)
- /* Check against zero is paylindromic, no need to swap. */
- if (data->inode.nblocks == 0
- && INODE_SIZE (data) <= sizeof (data->inode.symlink))
- - grub_strcpy (symlink, (char *) data->inode.symlink);
- + grub_strlcpy (symlink, (char *) data->inode.symlink, sz);
- else
- {
- if (grub_ufs_read_file (data, 0, 0, 0, sz, symlink) < 0)
- --
- 2.50.1
|
