From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from list by lists.gnu.org with archive (Exim 4.90_1)
	id 1k0pT4-0001t2-Oh
	for mharc-grub-devel@gnu.org; Wed, 29 Jul 2020 13:02:14 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:40946)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <daniel.kiper@oracle.com>)
 id 1k0pT3-0001qL-53
 for grub-devel@gnu.org; Wed, 29 Jul 2020 13:02:13 -0400
Received: from userp2120.oracle.com ([156.151.31.85]:42846)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <daniel.kiper@oracle.com>)
 id 1k0pT1-0000kJ-43
 for grub-devel@gnu.org; Wed, 29 Jul 2020 13:02:12 -0400
Received: from pps.filterd (userp2120.oracle.com [127.0.0.1])
 by userp2120.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 06TH1fLo037002;
 Wed, 29 Jul 2020 17:02:03 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com;
 h=from : to : cc :
 subject : date : message-id : in-reply-to : references; s=corp-2020-01-29;
 bh=yFVnbvBkK2VctzeuMlSqgMupuCfLiDtfdCCUZShm6ss=;
 b=e82u4eJ4etREwMJQ5SQF9fsJnd+e9NdhYuTS6Xi573dWX26M9bJEJpj4AYn5e2++6njk
 /Ha5/aVlIRthXNaXqG4XqH2HDGdeBEgEbWH9C/usiBTtyfSMOXDdQoidHTL/peN1yMRR
 43VyCTdMZ7lOIHJCI9UGsf2xvcDWFHnGGfpdofDb4zth2mGdkbuLf7wtb8ZtQqKJ5M5r
 CCplsUnnBcglSdSaV+SgErutZku7jHWyh7X05+MWD4vVVFrNH/1jemVQUK7paIBB/2gU
 dKbLn4nnyGQFttwbs4k/GFDOy5HBHjiIbGPKu+ngIA1jA0pIuPIgzgokPY/z5OQD8iln qA== 
Received: from aserp3020.oracle.com (aserp3020.oracle.com [141.146.126.70])
 by userp2120.oracle.com with ESMTP id 32hu1jpuq6-1
 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL);
 Wed, 29 Jul 2020 17:02:03 +0000
Received: from pps.filterd (aserp3020.oracle.com [127.0.0.1])
 by aserp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 06TGwVTK033072;
 Wed, 29 Jul 2020 17:02:02 GMT
Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75])
 by aserp3020.oracle.com with ESMTP id 32hu5xf9hu-1
 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
 Wed, 29 Jul 2020 17:02:02 +0000
Received: from abhmp0014.oracle.com (abhmp0014.oracle.com [141.146.116.20])
 by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id 06TH20a1015895;
 Wed, 29 Jul 2020 17:02:00 GMT
Received: from tomti.i.net-space.pl (/10.175.200.191)
 by default (Oracle Beehive Gateway v4.0)
 with ESMTP ; Wed, 29 Jul 2020 10:02:00 -0700
From: Daniel Kiper <daniel.kiper@oracle.com>
To: grub-devel@gnu.org
Cc: 93sam@debian.org, alexander.burmashev@oracle.com, amakhalov@vmware.com,
 chris.coulson@canonical.com, cjwatson@debian.org, cperry@redhat.com,
 darren.kenny@oracle.com, darren.moffat@oracle.com,
 dave.miner@oracle.com, degranit@microsoft.com,
 eric.snowberg@oracle.com, ilya.okomin@oracle.com,
 jan.setjeeilers@oracle.com, jerecox@microsoft.com, jesse@eclypsium.com,
 john.haxby@oracle.com, kanth.ghatraju@oracle.com,
 konrad.wilk@oracle.com, mbenatto@redhat.com, mickey@eclypsium.com,
 msrc57813grub@microsoft.com, phcoder@gmail.com, pjones@redhat.com,
 sajacobu@microsoft.com, todd.vierling@oracle.com, xnox@ubuntu.com
Subject: [SECURITY PATCH 11/28] lzma: Make sure we don't dereference past array
Date: Wed, 29 Jul 2020 19:00:24 +0200
Message-Id: <20200729170041.14082-12-daniel.kiper@oracle.com>
X-Mailer: git-send-email 2.11.0
In-Reply-To: <20200729170041.14082-1-daniel.kiper@oracle.com>
References: <20200729170041.14082-1-daniel.kiper@oracle.com>
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9697
 signatures=668679
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=1
 adultscore=0 bulkscore=0
 malwarescore=0 mlxscore=0 spamscore=0 mlxlogscore=999 phishscore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000
 definitions=main-2007290115
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9697
 signatures=668679
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 clxscore=1015
 mlxlogscore=999
 malwarescore=0 impostorscore=0 priorityscore=1501 spamscore=0 phishscore=0
 suspectscore=1 bulkscore=0 mlxscore=0 lowpriorityscore=0 adultscore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000
 definitions=main-2007290116
Received-SPF: pass client-ip=156.151.31.85;
 envelope-from=daniel.kiper@oracle.com; helo=userp2120.oracle.com
X-detected-operating-system: by eggs.gnu.org: First seen = 2020/07/29 13:01:26
X-ACL-Warn: Detected OS   = Linux 3.1-3.10 [fuzzy]
X-Spam_score_int: -53
X-Spam_score: -5.4
X-Spam_bar: -----
X-Spam_report: (-5.4 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-1,
 DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001,
 UNPARSEABLE_RELAY=0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: grub-devel@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: The development of GNU GRUB <grub-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/grub-devel>,
 <mailto:grub-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/grub-devel>
List-Post: <mailto:grub-devel@gnu.org>
List-Help: <mailto:grub-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/grub-devel>,
 <mailto:grub-devel-request@gnu.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jul 2020 17:02:13 -0000

From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>

The two dimensional array p->posSlotEncoder[4][64] is being dereferenced
using the GetLenToPosState() macro which checks if len is less than 5,
and if so subtracts 2 from it. If len = 0, that is 0 - 2 = 4294967294.
Obviously we don't want to dereference that far out so we check if the
position found is greater or equal kNumLenToPosStates (4) and bail out.

N.B.: Upstream LZMA 18.05 and later has this function completely rewritten
without any history.

Fixes: CID 51526

Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 grub-core/lib/LzmaEnc.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/grub-core/lib/LzmaEnc.c b/grub-core/lib/LzmaEnc.c
index f2ec04a8c..753e56a95 100644
--- a/grub-core/lib/LzmaEnc.c
+++ b/grub-core/lib/LzmaEnc.c
@@ -1877,13 +1877,19 @@ static SRes LzmaEnc_CodeOneBlock(CLzmaEnc *p, Bool useLimits, UInt32 maxPackSize
       }
       else
       {
-        UInt32 posSlot;
+        UInt32 posSlot, lenToPosState;
         RangeEnc_EncodeBit(&p->rc, &p->isRep[p->state], 0);
         p->state = kMatchNextStates[p->state];
         LenEnc_Encode2(&p->lenEnc, &p->rc, len - LZMA_MATCH_LEN_MIN, posState, !p->fastMode, p->ProbPrices);
         pos -= LZMA_NUM_REPS;
         GetPosSlot(pos, posSlot);
-        RcTree_Encode(&p->rc, p->posSlotEncoder[GetLenToPosState(len)], kNumPosSlotBits, posSlot);
+        lenToPosState = GetLenToPosState(len);
+        if (lenToPosState >= kNumLenToPosStates)
+        {
+          p->result = SZ_ERROR_DATA;
+          return CheckErrors(p);
+        }
+        RcTree_Encode(&p->rc, p->posSlotEncoder[lenToPosState], kNumPosSlotBits, posSlot);
 
         if (posSlot >= kStartPosModelIndex)
         {
-- 
2.11.0