From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1k0pTn-0003XZ-J3 for mharc-grub-devel@gnu.org; Wed, 29 Jul 2020 13:02:59 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:41212) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k0pTm-0003Uf-1c for grub-devel@gnu.org; Wed, 29 Jul 2020 13:02:58 -0400 Received: from aserp2120.oracle.com ([141.146.126.78]:55628) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k0pTk-0000ou-0E for grub-devel@gnu.org; Wed, 29 Jul 2020 13:02:57 -0400 Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1]) by aserp2120.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 06TH1feM040848; Wed, 29 Jul 2020 17:02:50 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references; s=corp-2020-01-29; bh=mc28xysnxpkJpUgiLWFSWcrm3gBEfuYnoflcrrScgAE=; b=ledkprEprHx8wbHP8ong5vFfkMXIdpRGfSkdOmjox/y1+2Tj0u0TIot6FuQFUUJPd363 xRvpfM9MCj/0gpenfSP9tzmsukL/CH0YrkMB8T4zkaWoSOfQpiMaIYg6nKRJiX97q1jd TrWsDCcOyJJUW9XRLvk00X8m58DzPB2BdZbAhyC9ne9+K1aHUBIbqJg7ooPI7QGXu6LM IymIWt16bTupJdRIGXs5ynmjS8shWkL3Kn9pKBKzLvuHCXCpe0dbSqfEjGSS9vsP90wL KSrSqOS9HksC/nVsAUJLz1S9y+Y26Jwm3x/O0st0VEwfAEGFrqDylJtK/w88YnMuv8eU 7g== Received: from aserp3030.oracle.com (aserp3030.oracle.com [141.146.126.71]) by aserp2120.oracle.com with ESMTP id 32hu1jeuyj-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 29 Jul 2020 17:02:50 +0000 Received: from pps.filterd (aserp3030.oracle.com [127.0.0.1]) by aserp3030.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 06TH2m9S088696; Wed, 29 Jul 2020 17:02:49 GMT Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by aserp3030.oracle.com with ESMTP id 32hu5w20nv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 29 Jul 2020 17:02:49 +0000 Received: from abhmp0014.oracle.com (abhmp0014.oracle.com [141.146.116.20]) by aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id 06TH2e8D022271; Wed, 29 Jul 2020 17:02:40 GMT Received: from tomti.i.net-space.pl (/10.175.200.191) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 29 Jul 2020 10:02:39 -0700 From: Daniel Kiper To: grub-devel@gnu.org Cc: 93sam@debian.org, alexander.burmashev@oracle.com, amakhalov@vmware.com, chris.coulson@canonical.com, cjwatson@debian.org, cperry@redhat.com, darren.kenny@oracle.com, darren.moffat@oracle.com, dave.miner@oracle.com, degranit@microsoft.com, eric.snowberg@oracle.com, ilya.okomin@oracle.com, jan.setjeeilers@oracle.com, jerecox@microsoft.com, jesse@eclypsium.com, john.haxby@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, mbenatto@redhat.com, mickey@eclypsium.com, msrc57813grub@microsoft.com, phcoder@gmail.com, pjones@redhat.com, sajacobu@microsoft.com, todd.vierling@oracle.com, xnox@ubuntu.com Subject: [SECURITY PATCH 19/28] script: Avoid a use-after-free when redefining a function during execution Date: Wed, 29 Jul 2020 19:00:32 +0200 Message-Id: <20200729170041.14082-20-daniel.kiper@oracle.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20200729170041.14082-1-daniel.kiper@oracle.com> References: <20200729170041.14082-1-daniel.kiper@oracle.com> X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9697 signatures=668679 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=3 malwarescore=0 mlxscore=0 adultscore=0 spamscore=0 phishscore=0 mlxlogscore=999 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2007290116 X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9697 signatures=668679 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 bulkscore=0 mlxlogscore=999 lowpriorityscore=0 malwarescore=0 clxscore=1015 mlxscore=0 impostorscore=0 phishscore=0 adultscore=0 suspectscore=3 priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2007290116 Received-SPF: pass client-ip=141.146.126.78; envelope-from=daniel.kiper@oracle.com; helo=aserp2120.oracle.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/07/29 13:01:43 X-ACL-Warn: Detected OS = Linux 3.1-3.10 [fuzzy] X-Spam_score_int: -63 X-Spam_score: -6.4 X-Spam_bar: ------ X-Spam_report: (-6.4 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-1, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jul 2020 17:02:58 -0000 From: Chris Coulson Defining a new function with the same name as a previously defined function causes the grub_script and associated resources for the previous function to be freed. If the previous function is currently executing when a function with the same name is defined, this results in use-after-frees when processing subsequent commands in the original function. Instead, reject a new function definition if it has the same name as a previously defined function, and that function is currently being executed. Although a behavioural change, this should be backwards compatible with existing configurations because they can't be dependent on the current behaviour without being broken. Fixes: CVE-2020-15706 Signed-off-by: Chris Coulson Reviewed-by: Daniel Kiper --- grub-core/script/execute.c | 2 ++ grub-core/script/function.c | 16 +++++++++++++--- grub-core/script/parser.y | 3 ++- include/grub/script_sh.h | 2 ++ 4 files changed, 19 insertions(+), 4 deletions(-) diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c index 8a9161cc8..ce83edd4b 100644 --- a/grub-core/script/execute.c +++ b/grub-core/script/execute.c @@ -838,7 +838,9 @@ grub_script_function_call (grub_script_function_t func, int argc, char **args) old_scope = scope; scope = &new_scope; + func->executing++; ret = grub_script_execute (func->func); + func->executing--; function_return = 0; active_loops = loops; diff --git a/grub-core/script/function.c b/grub-core/script/function.c index d36655e51..3aad04bf9 100644 --- a/grub-core/script/function.c +++ b/grub-core/script/function.c @@ -34,6 +34,7 @@ grub_script_function_create (struct grub_script_arg *functionname_arg, func = (grub_script_function_t) grub_malloc (sizeof (*func)); if (! func) return 0; + func->executing = 0; func->name = grub_strdup (functionname_arg->str); if (! func->name) @@ -60,10 +61,19 @@ grub_script_function_create (struct grub_script_arg *functionname_arg, grub_script_function_t q; q = *p; - grub_script_free (q->func); - q->func = cmd; grub_free (func); - func = q; + if (q->executing > 0) + { + grub_error (GRUB_ERR_BAD_ARGUMENT, + N_("attempt to redefine a function being executed")); + func = NULL; + } + else + { + grub_script_free (q->func); + q->func = cmd; + func = q; + } } else { diff --git a/grub-core/script/parser.y b/grub-core/script/parser.y index 4f0ab8319..f80b86b6f 100644 --- a/grub-core/script/parser.y +++ b/grub-core/script/parser.y @@ -289,7 +289,8 @@ function: "function" "name" grub_script_mem_free (state->func_mem); else { script->children = state->scripts; - grub_script_function_create ($2, script); + if (!grub_script_function_create ($2, script)) + grub_script_free (script); } state->scripts = $3; diff --git a/include/grub/script_sh.h b/include/grub/script_sh.h index b382bcf09..6c48e0751 100644 --- a/include/grub/script_sh.h +++ b/include/grub/script_sh.h @@ -361,6 +361,8 @@ struct grub_script_function /* The next element. */ struct grub_script_function *next; + + unsigned executing; }; typedef struct grub_script_function *grub_script_function_t; -- 2.11.0