[bug #65880] heap-buffer-overflow in grub-mkrescue.c

2024-07-01 Thread Thomas Schmitt 
Follow-up Comment #4, bug #65880 (group grub):

Hi,

belatedly i can report that the proposed change was committed to the
git repo of GRUB as
 
https://git.savannah.gnu.org/cgit/grub.git/commit/?id=b53ec06a1d6f22ffc1139cbfc0f292e4ca2da9cd

I propose to close the bug now.

Have a nice day :)

Thomas



___

Reply to this item at:

  

___
Message sent via Savannah
https://savannah.gnu.org/


signature.asc
Description: PGP signature

[bug #65880] heap-buffer-overflow in grub-mkrescue.c

2024-06-17 Thread Thomas Schmitt 
Follow-up Comment #3, bug #65880 (group grub):

Hi,

the patch is now posted for review and testing at grub-devel:
  https://lists.gnu.org/archive/html/grub-devel/2024-06/msg00163.html

Have a nice day :)

Thomas



___

Reply to this item at:

  

___
Message sent via Savannah
https://savannah.gnu.org/

Re: [bug #65880] heap-buffer-overflow in grub-mkrescue.c

2024-06-17 Thread Thomas Schmitt 
Hi,

Vladimir Serbinenko wrote:
> Thomas, savannah just butchers the patch.

Looking in my mailbox ... that line break before "argument" is not by me.

> Can you send it to ML?

I have it ready for grub-devel (git format-patch) and plan to post it
by "git send-email" this evening unless Victoriia Egorova reports that
it does not work.

Whatever, here it is in advance to bug-grub@gnu.org.

Have a nice day :)

Thomas

===

[PATCH 1/1] util/grub-mkrescue: Check existence of option arguments

As reported by Victoriia Egorova in bug 65880, grub-mkrescue does not
verify that the expected argument of an option like -d or -k does really
exist in argv.
So check the loop counter before incrementing it inside the loop which
copies argv to argp_argv. Issue an error message similar to what older
versions of grub-mkrescue did with a missing argument (e.g 2.02).

Fixes: https://savannah.gnu.org/bugs/index.php?65880
Signed-off-by: Thomas Schmitt 
---
 util/grub-mkrescue.c | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/util/grub-mkrescue.c b/util/grub-mkrescue.c
index abcc1c2f5..8714d819e 100644
--- a/util/grub-mkrescue.c
+++ b/util/grub-mkrescue.c
@@ -477,6 +477,9 @@ main (int argc, char *argv[])
 for (i = 1; i < argc; i++)
   {
if (strcmp (argv[i], "-output") == 0) {
+ if (i + 1 >= argc)
+   grub_util_error ("%s -- '%s'", _("option requires an argument"),
+argv[i]);
  argp_argv[argp_argc++] = (char *) "--output";
  i++;
  argp_argv[argp_argc++] = argv[i];
@@ -485,6 +488,9 @@ main (int argc, char *argv[])
switch (args_to_eat (argv[i]))
  {
  case 2:
+   if (i + 1 >= argc)
+ grub_util_error ("%s -- '%s'", _("option requires an argument"),
+  argv[i]);
argp_argv[argp_argc++] = argv[i++];
/* Fallthrough  */
  case 1:
--
2.39.2

[bug #65880] heap-buffer-overflow in grub-mkrescue.c

2024-06-17 Thread Vladimir Serbinenko 
Follow-up Comment #2, bug #65880 (group grub):

Thomas, savannah just butchers the patch. Can you send it to ML?


___

Reply to this item at:

  

___
Message posté via Savannah
https://savannah.gnu.org/

[bug #65880] heap-buffer-overflow in grub-mkrescue.c

2024-06-14 Thread Thomas Schmitt 
Follow-up Comment #1, bug #65880 (group grub):

Hi,

i can confirm that it happens on Debian 12 with the Debian amd64 package
grub-common (2.06-13+deb12u1) (plus grub-efi-amd64 , grub-efi-amd64-bin ,
grub-efi-amd64-signed , grub2-common) and also with a git clone of today.

The change at the end of this comment fixes the problem for me (and
mimicks the error message of Debian 8 which does not show the problem).

Debian-8 binary:
  grub-mkrescue: option requires an argument -- 'k'
  Try 'grub-mkrescue --help' or 'grub-mkrescue --usage' for more information.

Changed git clone:
  $ ./grub-mkrescue -k
  ./grub-mkrescue: error: option requires an argument -- '-k'.
  $ echo $?
  1

Please try whether the change works for you, too.

Have a nice day :)

Thomas

--

--- util/grub-mkrescue.c.orig   2024-06-14 14:34:18.109255492 +0200
+++ util/grub-mkrescue.c2024-06-14 14:37:18.052729569 +0200
@@ -477,6 +477,9 @@ main (int argc, char *argv[])
 for (i = 1; i < argc; i++)
   {
if (strcmp (argv[i], "-output") == 0) {
+ if (i + 1 >= argc)
+   grub_util_error ("%s -- '%s'", _("option requires an argument"),
+argv[i]);
  argp_argv[argp_argc++] = (char *) "--output";
  i++;
  argp_argv[argp_argc++] = argv[i];
@@ -485,6 +488,9 @@ main (int argc, char *argv[])
switch (args_to_eat (argv[i]))
  {
  case 2:
+   if (i + 1 >= argc)
+ grub_util_error ("%s -- '%s'", _("option requires an
argument"),
+  argv[i]);
argp_argv[argp_argc++] = argv[i++];
/* Fallthrough  */
  case 1:



___

Reply to this item at:

  

{savane: Include the next line when replying by email.}
{savane: user = bug-grub@gnu.org; tracker = bugs; item = 65880}

___
Message sent via Savannah
https://savannah.gnu.org/

[bug #65880] heap-buffer-overflow in grub-mkrescue.c

2024-06-14 Thread Victoriia Egorova 
URL:
  

 Summary: heap-buffer-overflow in grub-mkrescue.c
   Group: GNU GRUB
   Submitter: vegorova
   Submitted: Пт 14 июн 2024 11:13:08
Category: None
Severity: Major
Priority: 5 - Normal
  Item Group: None
  Status: None
 Privacy: Public
 Assigned to: None
 Originator Name: 
Originator Email: 
 Open/Closed: Open
 Release: other
 Release: 
 Discussion Lock: Any
 Reproducibility: Every Time
 Planned Release: None


___

Follow-up Comments:


---
Date: Пт 14 июн 2024 11:13:08   By: Victoriia Egorova 
Steps to reproduce: 
build grub2 (i tried v2.06, but this code part seems almost the same in
v.2.12) with ASAN 
run grub-mkrescue with -k or -d opt without additional args:
./grub-mkrescue -k 
or 
./grub-mkrescue -d 

It looks like we're looking for the arg after these flags (-k and -d), but if
we don't have it we also haven't allocated enough memory for argp_argv (we
allocated it only for argc elements, in this case there are only two of them),
but trying to write here in line 
argp_argv[argp_argc++] = argv[i];
so it causes a heap-buffer-overflow. 


Backtrace: 
=
==264950==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60200380 at pc 0x5e64d4e5f556 bp 0x7fff53f3ba30 sp 0x7fff53f3ba28
WRITE of size 8 at 0x60200380 thread T0
#0 0x5e64d4e5f555 in main ../../util/grub-mkrescue.c:471
#1 0x7cc0f5e04249 in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
#2 0x7cc0f5e04304 in __libc_start_main_impl ../csu/libc-start.c:360
#3 0x5e64d4e61a20 in _start
(/app/grub/grub2/grub2-2.06/obj/grub-pc/grub-mkrescue+0x4ea20)

0x60200380 is located 0 bytes to the right of 16-byte region
[0x60200370,0x60200380)
allocated by thread T0 here:
#0 0x7cc0f61553b7 in __interceptor_calloc
../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77
#1 0x5e64d4ff5275 in xcalloc ../../grub-core/kern/emu/misc.c:93

SUMMARY: AddressSanitizer: heap-buffer-overflow ../../util/grub-mkrescue.c:471
in main
Shadow bytes around the buggy address:
  0x0c047fff8020: fa fa fd fa fa fa 00 04 fa fa 00 04 fa fa 00 04
  0x0c047fff8030: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
  0x0c047fff8040: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
  0x0c047fff8050: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 05 fa
  0x0c047fff8060: fa fa 05 fa fa fa 00 fa fa fa fd fd fa fa 00 00
=>0x0c047fff8070:[fa]fa 00 00 fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:   00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:   fa
  Freed heap region:   fd
  Stack left redzone:  f1
  Stack mid redzone:   f2
  Stack right redzone: f3
  Stack after return:  f5
  Stack use after scope:   f8
  Global redzone:  f9
  Global init order:   f6
  Poisoned by user:f7
  Container overflow:  fc
  Array cookie:ac
  Intra object redzone:bb
  ASan internal:   fe
  Left alloca redzone: ca
  Right alloca redzone:cb
==264950==ABORTING








___

Reply to this item at:

  

{savane: Include the next line when replying by email.}
{savane: user = bug-grub@gnu.org; tracker = bugs; item = 65880}

___
Сообщение отправлено по Savannah
https://savannah.gnu.org/