| 12345678910111213141516171819202122232425262728293031323334353637383940 |
- From 31b3e24947c6dbb65ea2eca30ddd168dc47513ce Mon Sep 17 00:00:00 2001
- From: Lidong Chen <lidong.chen@oracle.com>
- Date: Fri, 22 Nov 2024 06:27:56 +0000
- Subject: [PATCH] gettext: Integer overflow leads to heap OOB write or read
- Calculation of ctx->grub_gettext_msg_list size in grub_mofile_open() may
- overflow leading to subsequent OOB write or read. This patch fixes the
- issue by replacing grub_zalloc() and explicit multiplication with
- grub_calloc() which does the same thing in safe manner.
- Fixes: CVE-2024-45776
- Reported-by: Nils Langius <nils@langius.de>
- Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
- Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
- Reviewed-by: Alec Brown <alec.r.brown@oracle.com>
- Upstream: 09bd6eb58b0f71ec273916070fa1e2de16897a91
- Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
- ---
- grub-core/gettext/gettext.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
- diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c
- index e4f4f8ee6..63bb1ab73 100644
- --- a/grub-core/gettext/gettext.c
- +++ b/grub-core/gettext/gettext.c
- @@ -323,8 +323,8 @@ grub_mofile_open (struct grub_gettext_context *ctx,
- for (ctx->grub_gettext_max_log = 0; ctx->grub_gettext_max >> ctx->grub_gettext_max_log;
- ctx->grub_gettext_max_log++);
-
- - ctx->grub_gettext_msg_list = grub_zalloc (ctx->grub_gettext_max
- - * sizeof (ctx->grub_gettext_msg_list[0]));
- + ctx->grub_gettext_msg_list = grub_calloc (ctx->grub_gettext_max,
- + sizeof (ctx->grub_gettext_msg_list[0]));
- if (!ctx->grub_gettext_msg_list)
- {
- grub_file_close (fd);
- --
- 2.50.1
|
