Coverity has listed two untrusted loop bound bugs in
grub-core/loader/multiboot_elfxx.c. They are CID 314029 and CID 314038. After
testing the first patch, the CID changed to an untrusted loop bound for line
244: shdr = grub_calloc (shnum, ehdr->e_shentsize);. I added a second patch to
address this, but after making these changes, it reverted to the original bug of
using tainted data in grub_memset(). The third patch addresses Coverity's issue
with phdr() in grub_memset() and reduces the bug to only having an issue with
using phnum as an untrusted loop bound. However, we can ignore this since phnum
is already getting checked earlier in the function.
I've also bundled a use-after-free patch with this patch set at the end.
Alec Brown (4):
elf: Check program memory isn't larger than allocated memory size
elf: Check section header region before allocating memory
elf: check program header offset doesn't exceed constraints
efi: Fix use-after-free in finish boot services
grub-core/kern/efi/mm.c | 3 +++
grub-core/loader/multiboot_elfxx.c | 22 +++++++++++++++++-----
2 files changed, 20 insertions(+), 5 deletions(-)
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
