In _asn1_tag_der(), the first while loop for the long form may end up with a 'k' value with 'ASN1_MAX_TAG_SIZE' and cause the buffer overrun in the second while loop. This commit tweaks the conditional check to avoid producing a too large 'k'.
This is a quick fix and may differ from the official upstream fix. libtasn1 issue: https://gitlab.com/gnutls/libtasn1/-/issues/49 Signed-off-by: Gary Lin <g...@suse.com> Reviewed-by: Daniel Kiper <daniel.ki...@oracle.com> --- ...sn1-fix-the-potential-buffer-overrun.patch | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 grub-core/lib/libtasn1-patches/0005-libtasn1-fix-the-potential-buffer-overrun.patch diff --git a/grub-core/lib/libtasn1-patches/0005-libtasn1-fix-the-potential-buffer-overrun.patch b/grub-core/lib/libtasn1-patches/0005-libtasn1-fix-the-potential-buffer-overrun.patch new file mode 100644 index 000000000..8cca86fad --- /dev/null +++ b/grub-core/lib/libtasn1-patches/0005-libtasn1-fix-the-potential-buffer-overrun.patch @@ -0,0 +1,35 @@ +From 38cc5e33cf89ed5d3152923fbedd9869bf566bb5 Mon Sep 17 00:00:00 2001 +From: Gary Lin <g...@suse.com> +Date: Mon, 8 Apr 2024 14:57:21 +0800 +Subject: [PATCH 5/6] libtasn1: fix the potential buffer overrun + +In _asn1_tag_der(), the first while loop for the long form may end up +with a 'k' value with 'ASN1_MAX_TAG_SIZE' and cause the buffer overrun +in the second while loop. This commit tweaks the conditional check to +avoid producing a too large 'k'. + +This is a quick fix and may differ from the official upstream fix. + +libtasn1 issue: https://gitlab.com/gnutls/libtasn1/-/issues/49 + +Signed-off-by: Gary Lin <g...@suse.com> +--- + grub-core/lib/libtasn1-grub/lib/coding.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/grub-core/lib/libtasn1-grub/lib/coding.c b/grub-core/lib/libtasn1-grub/lib/coding.c +index 5d03bca9d..0458829a5 100644 +--- a/grub-core/lib/libtasn1-grub/lib/coding.c ++++ b/grub-core/lib/libtasn1-grub/lib/coding.c +@@ -143,7 +143,7 @@ _asn1_tag_der (unsigned char class, unsigned int tag_value, + temp[k++] = tag_value & 0x7F; + tag_value >>= 7; + +- if (k > ASN1_MAX_TAG_SIZE - 1) ++ if (k >= ASN1_MAX_TAG_SIZE - 1) + break; /* will not encode larger tags */ + } + *ans_len = k + 1; +-- +2.35.3 + -- 2.35.3 _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
