[SECURITY PATCH 55/73] fs: Prevent overflows when allocating memory for arrays

Tue, 18 Feb 2025 10:05:37 -0800 

From: Lidong Chen <lidong.c...@oracle.com>

Use grub_calloc() when allocating memory for arrays to ensure proper
overflow checks are in place.

The HFS+ and squash4 security vulnerabilities were reported by
Jonathan Bar Or <jonathanba...@gmail.com>.

Fixes: CVE-2025-0678
Fixes: CVE-2025-1125

Signed-off-by: Lidong Chen <lidong.c...@oracle.com>
Reviewed-by: Daniel Kiper <daniel.ki...@oracle.com>
---
 grub-core/fs/btrfs.c       | 4 ++--
 grub-core/fs/hfspluscomp.c | 9 +++++++--
 grub-core/fs/squash4.c     | 8 ++++----
 3 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c
index 0625b1166..9c1e925c9 100644
--- a/grub-core/fs/btrfs.c
+++ b/grub-core/fs/btrfs.c
@@ -1276,8 +1276,8 @@ grub_btrfs_mount (grub_device_t dev)
     }
 
   data->n_devices_allocated = 16;
-  data->devices_attached = grub_malloc (sizeof (data->devices_attached[0])
-                                       * data->n_devices_allocated);
+  data->devices_attached = grub_calloc (data->n_devices_allocated,
+                                       sizeof (data->devices_attached[0]));
   if (!data->devices_attached)
     {
       grub_free (data);
diff --git a/grub-core/fs/hfspluscomp.c b/grub-core/fs/hfspluscomp.c
index 48ae438d8..a80954ee6 100644
--- a/grub-core/fs/hfspluscomp.c
+++ b/grub-core/fs/hfspluscomp.c
@@ -244,14 +244,19 @@ hfsplus_open_compressed_real (struct grub_hfsplus_file 
*node)
          return 0;
        }
       node->compress_index_size = grub_le_to_cpu32 (index_size);
-      node->compress_index = grub_malloc (node->compress_index_size
-                                         * sizeof (node->compress_index[0]));
+      node->compress_index = grub_calloc (node->compress_index_size,
+                                         sizeof (node->compress_index[0]));
       if (!node->compress_index)
        {
          node->compressed = 0;
          grub_free (attr_node);
          return grub_errno;
        }
+
+      /*
+       * The node->compress_index_size * sizeof (node->compress_index[0]) is 
safe here
+       * due to relevant checks done in grub_calloc() above.
+       */
       if (grub_hfsplus_read_file (node, 0, 0,
                                  0x104 + sizeof (index_size),
                                  node->compress_index_size
diff --git a/grub-core/fs/squash4.c b/grub-core/fs/squash4.c
index f91ff3bfa..cf2bca822 100644
--- a/grub-core/fs/squash4.c
+++ b/grub-core/fs/squash4.c
@@ -822,10 +822,10 @@ direct_read (struct grub_squash_data *data,
          break;
        }
       total_blocks = ((total_size + data->blksz - 1) >> data->log2_blksz);
-      ino->block_sizes = grub_malloc (total_blocks
-                                     * sizeof (ino->block_sizes[0]));
-      ino->cumulated_block_sizes = grub_malloc (total_blocks
-                                               * sizeof 
(ino->cumulated_block_sizes[0]));
+      ino->block_sizes = grub_calloc (total_blocks,
+                                     sizeof (ino->block_sizes[0]));
+      ino->cumulated_block_sizes = grub_calloc (total_blocks,
+                                               sizeof 
(ino->cumulated_block_sizes[0]));
       if (!ino->block_sizes || !ino->cumulated_block_sizes)
        {
          grub_free (ino->block_sizes);
-- 
2.11.0


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

Reply via email to