Re: [PATCH] Fix security issue when reading username and password

Thu, 24 Oct 2019 08:51:43 -0700 

Hello Daniel,

Something went wrong in my last email, what I wanted to say is:

The patch prevents that "cur_len" underflows. No negative values for
"cur_len" so no way to underflow the "cur_len" variable and therefore no
vulnerability.

Hector.


On 24/10/2019 15:13, Hector Marco wrote:
> Hello Daniel,
> 
> The patch prevents that "cur_len" underflows. No negative values for
> "cur_len" so way to underflow the "cur_len" variable and therefore
> 
> I hope this helps,
> 
> Hector.
> 
> 
> 
> On 23/10/2019 11:14, Daniel Kiper wrote:
>> On Fri, Oct 18, 2019 at 02:39:01PM +0200, Javier Martinez Canillas wrote:
>>> From: Hector Marco-Gisbert <hecma...@upv.es>
>>>
>>>   This patch fixes two integer underflows at:
>>>     * grub-core/lib/crypto.c
>>>     * grub-core/normal/auth.c
>>>
>>> Resolves: CVE-2015-8370
>>>
>>> Signed-off-by: Hector Marco-Gisbert <hecma...@upv.es>
>>> Signed-off-by: Ismael Ripoll-Ripoll <irip...@disca.upv.es>
>>> Signed-off-by: Javier Martinez Canillas <javi...@redhat.com>
>>> ---
>>>
>>>  grub-core/lib/crypto.c  | 2 +-
>>>  grub-core/normal/auth.c | 2 +-
>>>  2 files changed, 2 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/grub-core/lib/crypto.c b/grub-core/lib/crypto.c
>>> index ca334d5a40e..e6c78d16d39 100644
>>> --- a/grub-core/lib/crypto.c
>>> +++ b/grub-core/lib/crypto.c
>>> @@ -468,7 +468,7 @@ grub_password_get (char buf[], unsigned buf_size)
>>>       break;
>>>     }
>>>
>>> -      if (key == '\b')
>>> +      if (key == '\b' && cur_len)
>>>     {
>>>       if (cur_len)
>>>         cur_len--;
>>> diff --git a/grub-core/normal/auth.c b/grub-core/normal/auth.c
>>> index 6be678c0de1..c35ce972473 100644
>>> --- a/grub-core/normal/auth.c
>>> +++ b/grub-core/normal/auth.c
>>> @@ -172,7 +172,7 @@ grub_username_get (char buf[], unsigned buf_size)
>>>       break;
>>>     }
>>>
>>> -      if (key == GRUB_TERM_BACKSPACE)
>>> +      if (key == GRUB_TERM_BACKSPACE && cur_len)
>>>     {
>>>       if (cur_len)
>>>         {
>>
>> TBH, I do not understand how this patch helps. It only delays continue
>> execution to the next "if (!grub_isprint (key))" if cur_len == 0.
>>
>> Daniel
>>
> 


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

Reply via email to