PUBLIC_REPOS
/
buildroot
同期ミラー git://git.buildroot.net/buildroot


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687
							From 593d7b8659bef80b1f6ae3b793332d8eca8b8131 Mon Sep 17 00:00:00 2001
From: Lidong Chen <lidong.chen@oracle.com>
Date: Tue, 21 Jan 2025 19:02:37 +0000
Subject: [PATCH] fs: Prevent overflows when allocating memory for arrays

Use grub_calloc() when allocating memory for arrays to ensure proper
overflow checks are in place.

The HFS+ and squash4 security vulnerabilities were reported by
Jonathan Bar Or <jonathanbaror@gmail.com>.

Fixes: CVE-2025-0678
Fixes: CVE-2025-1125

Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Upstream: 84bc0a9a68835952ae69165c11709811dae7634e
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 grub-core/fs/btrfs.c       | 4 ++--
 grub-core/fs/hfspluscomp.c | 9 +++++++--
 grub-core/fs/squash4.c     | 8 ++++----
 3 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c
index 0625b1166..9c1e925c9 100644
--- a/grub-core/fs/btrfs.c
+++ b/grub-core/fs/btrfs.c
@@ -1276,8 +1276,8 @@ grub_btrfs_mount (grub_device_t dev)
     }
 
   data->n_devices_allocated = 16;
-  data->devices_attached = grub_malloc (sizeof (data->devices_attached[0])
-					* data->n_devices_allocated);
+  data->devices_attached = grub_calloc (data->n_devices_allocated,
+					sizeof (data->devices_attached[0]));
   if (!data->devices_attached)
     {
       grub_free (data);
diff --git a/grub-core/fs/hfspluscomp.c b/grub-core/fs/hfspluscomp.c
index 48ae438d8..a80954ee6 100644
--- a/grub-core/fs/hfspluscomp.c
+++ b/grub-core/fs/hfspluscomp.c
@@ -244,14 +244,19 @@ hfsplus_open_compressed_real (struct grub_hfsplus_file *node)
 	  return 0;
 	}
       node->compress_index_size = grub_le_to_cpu32 (index_size);
-      node->compress_index = grub_malloc (node->compress_index_size
-					  * sizeof (node->compress_index[0]));
+      node->compress_index = grub_calloc (node->compress_index_size,
+					  sizeof (node->compress_index[0]));
       if (!node->compress_index)
 	{
 	  node->compressed = 0;
 	  grub_free (attr_node);
 	  return grub_errno;
 	}
+
+      /*
+       * The node->compress_index_size * sizeof (node->compress_index[0]) is safe here
+       * due to relevant checks done in grub_calloc() above.
+       */
       if (grub_hfsplus_read_file (node, 0, 0,
 				  0x104 + sizeof (index_size),
 				  node->compress_index_size
diff --git a/grub-core/fs/squash4.c b/grub-core/fs/squash4.c
index f91ff3bfa..cf2bca822 100644
--- a/grub-core/fs/squash4.c
+++ b/grub-core/fs/squash4.c
@@ -822,10 +822,10 @@ direct_read (struct grub_squash_data *data,
 	  break;
 	}
       total_blocks = ((total_size + data->blksz - 1) >> data->log2_blksz);
-      ino->block_sizes = grub_malloc (total_blocks
-				      * sizeof (ino->block_sizes[0]));
-      ino->cumulated_block_sizes = grub_malloc (total_blocks
-						* sizeof (ino->cumulated_block_sizes[0]));
+      ino->block_sizes = grub_calloc (total_blocks,
+				      sizeof (ino->block_sizes[0]));
+      ino->cumulated_block_sizes = grub_calloc (total_blocks,
+						sizeof (ino->cumulated_block_sizes[0]));
       if (!ino->block_sizes || !ino->cumulated_block_sizes)
 	{
 	  grub_free (ino->block_sizes);
-- 
2.50.1