You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
66 lines
2.4 KiB
66 lines
2.4 KiB
From a5fa3f370171482c7cdcb44af99e24040d1632ce Mon Sep 17 00:00:00 2001 |
|
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
|
Date: Tue, 7 Jul 2020 15:12:25 -0400 |
|
Subject: [PATCH 309/336] term: Fix overflow on user inputs |
|
|
|
This requires a very weird input from the serial interface but can cause |
|
an overflow in input_buf (keys) overwriting the next variable (npending) |
|
with the user choice: |
|
|
|
(pahole output) |
|
|
|
struct grub_terminfo_input_state { |
|
int input_buf[6]; /* 0 24 */ |
|
int npending; /* 24 4 */ <- CORRUPT |
|
...snip... |
|
|
|
The magic string requires causing this is "ESC,O,],0,1,2,q" and we overflow |
|
npending with "q" (aka increase npending to 161). The simplest fix is to |
|
just to disallow overwrites input_buf, which exactly what this patch does. |
|
|
|
Fixes: CID 292449 |
|
|
|
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
|
Upstream-commit-id: 98dfa546777 |
|
--- |
|
grub-core/term/terminfo.c | 9 ++++++--- |
|
1 file changed, 6 insertions(+), 3 deletions(-) |
|
|
|
diff --git a/grub-core/term/terminfo.c b/grub-core/term/terminfo.c |
|
index 7cb7909c8cf..aea9ffd0af7 100644 |
|
--- a/grub-core/term/terminfo.c |
|
+++ b/grub-core/term/terminfo.c |
|
@@ -398,7 +398,7 @@ grub_terminfo_getwh (struct grub_term_output *term) |
|
} |
|
|
|
static void |
|
-grub_terminfo_readkey (struct grub_term_input *term, int *keys, int *len, |
|
+grub_terminfo_readkey (struct grub_term_input *term, int *keys, int *len, int max_len, |
|
int (*readkey) (struct grub_term_input *term)) |
|
{ |
|
int c; |
|
@@ -414,6 +414,9 @@ grub_terminfo_readkey (struct grub_term_input *term, int *keys, int *len, |
|
if (c == -1) \ |
|
return; \ |
|
\ |
|
+ if (*len >= max_len) \ |
|
+ return; \ |
|
+ \ |
|
keys[*len] = c; \ |
|
(*len)++; \ |
|
} |
|
@@ -602,8 +605,8 @@ grub_terminfo_getkey (struct grub_term_input *termi) |
|
return ret; |
|
} |
|
|
|
- grub_terminfo_readkey (termi, data->input_buf, |
|
- &data->npending, data->readkey); |
|
+ grub_terminfo_readkey (termi, data->input_buf, &data->npending, |
|
+ GRUB_TERMINFO_READKEY_MAX_LEN, data->readkey); |
|
|
|
#if defined(__powerpc__) && defined(GRUB_MACHINE_IEEE1275) |
|
if (data->npending == 1 && data->input_buf[0] == '\e' |
|
-- |
|
2.26.2 |
|
|
|
|