From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from list by lists.gnu.org with archive (Exim 4.90_1)
	id 1k0pT7-0001y9-Jx
	for mharc-grub-devel@gnu.org; Wed, 29 Jul 2020 13:02:17 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:40980)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <daniel.kiper@oracle.com>)
 id 1k0pT6-0001vy-AA
 for grub-devel@gnu.org; Wed, 29 Jul 2020 13:02:16 -0400
Received: from aserp2120.oracle.com ([141.146.126.78]:54876)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <daniel.kiper@oracle.com>)
 id 1k0pT4-0000kr-Dm
 for grub-devel@gnu.org; Wed, 29 Jul 2020 13:02:15 -0400
Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1])
 by aserp2120.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 06TH1hZt040884;
 Wed, 29 Jul 2020 17:02:08 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com;
 h=from : to : cc :
 subject : date : message-id : in-reply-to : references; s=corp-2020-01-29;
 bh=yaySGuDI3uu3l6Ih0f6sZ8PwDhV9mgDPwii4yLYkuRY=;
 b=H9/L6cMQlkufT8+TjDTEHCisypkvIxsgGH7jE/OcGg6K3O+BQGEENrpPqSmrZ2RZqdMW
 x28NSrotqIlw+wuOZ6YZySTK22OBeIDsT/OKowWyWxPpiuQVJfzWmPCr4OS7Fk9czo87
 Udh57iKhaSR9s2mhJmTjax7laXt0TwWEDEFLxCXIhVU2B8HXP8nfu8LurWsrQB7zTDos
 KFqW2CeGOYYcaEXXWMZZUQSsPHV6It/iTowWLDjaCleM51oGUe7H/kakKj0djgPlJ3FP
 Z/d76OOT93gwoVrj4r1CcS03NfyLF+02cudUnOiCUZPLPYRE667pzOSCi5YWt6ZdvQox 0g== 
Received: from userp3020.oracle.com (userp3020.oracle.com [156.151.31.79])
 by aserp2120.oracle.com with ESMTP id 32hu1jeutk-1
 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL);
 Wed, 29 Jul 2020 17:02:07 +0000
Received: from pps.filterd (userp3020.oracle.com [127.0.0.1])
 by userp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 06TGwcOc078687;
 Wed, 29 Jul 2020 17:02:07 GMT
Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235])
 by userp3020.oracle.com with ESMTP id 32hu5v7dtc-1
 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
 Wed, 29 Jul 2020 17:02:07 +0000
Received: from abhmp0014.oracle.com (abhmp0014.oracle.com [141.146.116.20])
 by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id 06TH25Zk032266;
 Wed, 29 Jul 2020 17:02:05 GMT
Received: from tomti.i.net-space.pl (/10.175.200.191)
 by default (Oracle Beehive Gateway v4.0)
 with ESMTP ; Wed, 29 Jul 2020 10:02:05 -0700
From: Daniel Kiper <daniel.kiper@oracle.com>
To: grub-devel@gnu.org
Cc: 93sam@debian.org, alexander.burmashev@oracle.com, amakhalov@vmware.com,
 chris.coulson@canonical.com, cjwatson@debian.org, cperry@redhat.com,
 darren.kenny@oracle.com, darren.moffat@oracle.com,
 dave.miner@oracle.com, degranit@microsoft.com,
 eric.snowberg@oracle.com, ilya.okomin@oracle.com,
 jan.setjeeilers@oracle.com, jerecox@microsoft.com, jesse@eclypsium.com,
 john.haxby@oracle.com, kanth.ghatraju@oracle.com,
 konrad.wilk@oracle.com, mbenatto@redhat.com, mickey@eclypsium.com,
 msrc57813grub@microsoft.com, phcoder@gmail.com, pjones@redhat.com,
 sajacobu@microsoft.com, todd.vierling@oracle.com, xnox@ubuntu.com
Subject: [SECURITY PATCH 12/28] term: Fix overflow on user inputs
Date: Wed, 29 Jul 2020 19:00:25 +0200
Message-Id: <20200729170041.14082-13-daniel.kiper@oracle.com>
X-Mailer: git-send-email 2.11.0
In-Reply-To: <20200729170041.14082-1-daniel.kiper@oracle.com>
References: <20200729170041.14082-1-daniel.kiper@oracle.com>
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9697
 signatures=668679
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 adultscore=0
 phishscore=0 bulkscore=0
 malwarescore=0 suspectscore=1 spamscore=0 mlxlogscore=999 mlxscore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000
 definitions=main-2007290115
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9697
 signatures=668679
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0
 bulkscore=0 mlxlogscore=999
 lowpriorityscore=0 malwarescore=0 clxscore=1015 mlxscore=0 impostorscore=0
 phishscore=0 adultscore=0 suspectscore=1 priorityscore=1501
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000
 definitions=main-2007290116
Received-SPF: pass client-ip=141.146.126.78;
 envelope-from=daniel.kiper@oracle.com; helo=aserp2120.oracle.com
X-detected-operating-system: by eggs.gnu.org: First seen = 2020/07/29 13:01:43
X-ACL-Warn: Detected OS   = Linux 3.1-3.10 [fuzzy]
X-Spam_score_int: -63
X-Spam_score: -6.4
X-Spam_bar: ------
X-Spam_report: (-6.4 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-1,
 DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-1, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: grub-devel@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: The development of GNU GRUB <grub-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/grub-devel>,
 <mailto:grub-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/grub-devel>
List-Post: <mailto:grub-devel@gnu.org>
List-Help: <mailto:grub-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/grub-devel>,
 <mailto:grub-devel-request@gnu.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jul 2020 17:02:16 -0000

From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>

This requires a very weird input from the serial interface but can cause
an overflow in input_buf (keys) overwriting the next variable (npending)
with the user choice:

(pahole output)

struct grub_terminfo_input_state {
        int                        input_buf[6];         /*     0    24 */
        int                        npending;             /*    24     4 */ <- CORRUPT
        ...snip...

The magic string requires causing this is "ESC,O,],0,1,2,q" and we overflow
npending with "q" (aka increase npending to 161). The simplest fix is to
just to disallow overwrites input_buf, which exactly what this patch does.

Fixes: CID 292449

Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 grub-core/term/terminfo.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/grub-core/term/terminfo.c b/grub-core/term/terminfo.c
index 0e9de7f8f..cd7200803 100644
--- a/grub-core/term/terminfo.c
+++ b/grub-core/term/terminfo.c
@@ -398,7 +398,7 @@ grub_terminfo_getwh (struct grub_term_output *term)
 }
 
 static void
-grub_terminfo_readkey (struct grub_term_input *term, int *keys, int *len,
+grub_terminfo_readkey (struct grub_term_input *term, int *keys, int *len, int max_len,
 		       int (*readkey) (struct grub_term_input *term))
 {
   int c;
@@ -414,6 +414,9 @@ grub_terminfo_readkey (struct grub_term_input *term, int *keys, int *len,
     if (c == -1)						\
       return;							\
 								\
+    if (*len >= max_len)                                       \
+      return;                                                   \
+                                                                \
     keys[*len] = c;						\
     (*len)++;							\
   }
@@ -602,8 +605,8 @@ grub_terminfo_getkey (struct grub_term_input *termi)
       return ret;
     }
 
-  grub_terminfo_readkey (termi, data->input_buf,
-			 &data->npending, data->readkey);
+  grub_terminfo_readkey (termi, data->input_buf, &data->npending,
+			 GRUB_TERMINFO_READKEY_MAX_LEN, data->readkey);
 
 #if defined(__powerpc__) && defined(GRUB_MACHINE_IEEE1275)
   if (data->npending == 1 && data->input_buf[0] == GRUB_TERM_ESC
-- 
2.11.0