PUBLIC_REPOS
/
buildroot
mirror of git://git.buildroot.net/buildroot


			
				
					
						
						
							1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889
							From 7ad4117be44d8cf0443bbc58d49e592a33aaac89 Mon Sep 17 00:00:00 2001
From: B Horn <b@horn.uk>
Date: Fri, 15 Nov 2024 13:12:09 +0000
Subject: [PATCH] net: Fix OOB write in grub_net_search_config_file()

The function included a call to grub_strcpy() which copied data from an
environment variable to a buffer allocated in grub_cmd_normal(). The
grub_cmd_normal() didn't consider the length of the environment variable.
So, the copy operation could exceed the allocation and lead to an OOB
write. Fix the issue by replacing grub_strcpy() with grub_strlcpy() and
pass the underlying buffers size to the grub_net_search_config_file().

Fixes: CVE-2025-0624

Reported-by: B Horn <b@horn.uk>
Signed-off-by: B Horn <b@horn.uk>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

Conflicts:
	grub-core/normal/main.c

Upstream: 5eef88152833062a3f7e017535372d64ac8ef7e1
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 grub-core/net/net.c     | 7 ++++---
 grub-core/normal/main.c | 2 +-
 include/grub/net.h      | 2 +-
 3 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/grub-core/net/net.c b/grub-core/net/net.c
index 8dbb0eada..2bd490279 100644
--- a/grub-core/net/net.c
+++ b/grub-core/net/net.c
@@ -1942,14 +1942,15 @@ grub_config_search_through (char *config, char *suffix,
 }
 
 grub_err_t
-grub_net_search_config_file (char *config)
+grub_net_search_config_file (char *config, grub_size_t config_buf_len)
 {
-  grub_size_t config_len;
+  grub_size_t config_len, suffix_len;
   char *suffix;
 
   config_len = grub_strlen (config);
   config[config_len] = '-';
   suffix = config + config_len + 1;
+  suffix_len = config_buf_len - (config_len + 1);
 
   struct grub_net_network_level_interface *inf;
   FOR_NET_NETWORK_LEVEL_INTERFACES (inf)
@@ -1975,7 +1976,7 @@ grub_net_search_config_file (char *config)
 
       if (client_uuid)
         {
-          grub_strcpy (suffix, client_uuid);
+          grub_strlcpy (suffix, client_uuid, suffix_len);
           if (grub_config_search_through (config, suffix, 1, 0) == 0)
             return GRUB_ERR_NONE;
         }
diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
index bd4431000..3b48cd333 100644
--- a/grub-core/normal/main.c
+++ b/grub-core/normal/main.c
@@ -344,7 +344,7 @@ grub_cmd_normal (struct grub_command *cmd __attribute__ ((unused)),
 
           if (grub_strncmp (prefix + 1, "tftp", sizeof ("tftp") - 1) == 0 &&
               !disable_net_search)
-            grub_net_search_config_file (config);
+	     grub_net_search_config_file (config, config_len);
 
 	  grub_enter_normal_mode (config);
 	  grub_free (config);
diff --git a/include/grub/net.h b/include/grub/net.h
index 228d04963..58a4f83fc 100644
--- a/include/grub/net.h
+++ b/include/grub/net.h
@@ -570,7 +570,7 @@ void
 grub_net_remove_dns_server (const struct grub_net_network_level_address *s);
 
 grub_err_t
-grub_net_search_config_file (char *config);
+grub_net_search_config_file (char *config, grub_size_t config_buf_len);
 
 extern char *grub_net_default_server;
 
-- 
2.50.1