URL: <https://savannah.gnu.org/bugs/?66599>
Summary: GRUB2 heap overflow when parsing HFS filesystems
Group: GNU GRUB
Submitter: yo_yo_yo_jbo
Submitted: Thu 26 Dec 2024 05:13:22 PM UTC
Category: Security
Severity: Major
Priority: 5 - Normal
Item Group: Software Error
Status: None
Privacy: Public
Assigned to: None
Originator Name:
Originator Email:
Open/Closed: Open
Discussion Lock: Any
Release: 2.00
Release:
Reproducibility: None
Planned Release: None
_______________________________________________________
Follow-up Comments:
-------------------------------------------------------
Date: Thu 26 Dec 2024 05:13:22 PM UTC By: Jonathan Bar Or ("JBO")
<yo_yo_yo_jbo>
GRUB2 has an out-of-bounds strcpy (heap overflow) when parsing HFS
filesystems.
In grub-core/fs/hfs.c, there is an assumption that the volume name is a valid
Pascal string, and hence simply performing the following:
key.strlen = data->sblock.volname[0];
grub_strcpy ((char *) key.str, (char *) (data->sblock.volname + 1));
key is of type "struct grub_hfs_catalog_key" and its "str" member is defined
as: grub_uint8_t[31]
The "sblock" member in the data is fully attacker-controlled, since its type
is "grub_hfs_sblock" and all members after "volname" can be set to arbitrary
values, hence avoiding NUL terminators.
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/bugs/?66599>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
signature.asc
Description: PGP signature
