From: Daniel Kiper <daniel.kiper@oracle.com>
To: grub-devel@gnu.org
Cc: 93sam@debian.org, alexander.burmashev@oracle.com,
amakhalov@vmware.com, chris.coulson@canonical.com,
cjwatson@debian.org, cperry@redhat.com, darren.kenny@oracle.com,
darren.moffat@oracle.com, dave.miner@oracle.com,
degranit@microsoft.com, eric.snowberg@oracle.com,
ilya.okomin@oracle.com, jan.setjeeilers@oracle.com,
jerecox@microsoft.com, jesse@eclypsium.com,
john.haxby@oracle.com, kanth.ghatraju@oracle.com,
konrad.wilk@oracle.com, mbenatto@redhat.com,
mickey@eclypsium.com, msrc57813grub@microsoft.com,
phcoder@gmail.com, pjones@redhat.com, sajacobu@microsoft.com,
todd.vierling@oracle.com, xnox@ubuntu.com
Subject: [SECURITY PATCH 03/28] calloc: Make sure we always have an overflow-checking calloc() available
Date: Wed, 29 Jul 2020 19:00:16 +0200 [thread overview]
Message-ID: <20200729170041.14082-4-daniel.kiper@oracle.com> (raw)
In-Reply-To: <20200729170041.14082-1-daniel.kiper@oracle.com>
From: Peter Jones <pjones@redhat.com>
This tries to make sure that everywhere in this source tree, we always have
an appropriate version of calloc() (i.e. grub_calloc(), xcalloc(), etc.)
available, and that they all safely check for overflow and return NULL when
it would occur.
Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/kern/emu/misc.c | 12 ++++++++++++
grub-core/kern/emu/mm.c | 10 ++++++++++
grub-core/kern/mm.c | 40 ++++++++++++++++++++++++++++++++++++++
grub-core/lib/libgcrypt_wrap/mem.c | 11 +++++++++--
grub-core/lib/posix_wrap/stdlib.h | 8 +++++++-
include/grub/emu/misc.h | 1 +
include/grub/mm.h | 6 ++++++
7 files changed, 85 insertions(+), 3 deletions(-)
diff --git a/grub-core/kern/emu/misc.c b/grub-core/kern/emu/misc.c
index 65db79baa..dfd8a8ec4 100644
--- a/grub-core/kern/emu/misc.c
+++ b/grub-core/kern/emu/misc.c
@@ -86,6 +86,18 @@ grub_util_error (const char *fmt, ...)
}
void *
+xcalloc (grub_size_t nmemb, grub_size_t size)
+{
+ void *p;
+
+ p = calloc (nmemb, size);
+ if (!p)
+ grub_util_error ("%s", _("out of memory"));
+
+ return p;
+}
+
+void *
xmalloc (grub_size_t size)
{
void *p;
diff --git a/grub-core/kern/emu/mm.c b/grub-core/kern/emu/mm.c
index f262e95e3..145b01d37 100644
--- a/grub-core/kern/emu/mm.c
+++ b/grub-core/kern/emu/mm.c
@@ -26,6 +26,16 @@
#include <grub/i18n.h>
void *
+grub_calloc (grub_size_t nmemb, grub_size_t size)
+{
+ void *ret;
+ ret = calloc (nmemb, size);
+ if (!ret)
+ grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("out of memory"));
+ return ret;
+}
+
+void *
grub_malloc (grub_size_t size)
{
void *ret;
diff --git a/grub-core/kern/mm.c b/grub-core/kern/mm.c
index ee88ff611..f2822a836 100644
--- a/grub-core/kern/mm.c
+++ b/grub-core/kern/mm.c
@@ -67,8 +67,10 @@
#include <grub/dl.h>
#include <grub/i18n.h>
#include <grub/mm_private.h>
+#include <grub/safemath.h>
#ifdef MM_DEBUG
+# undef grub_calloc
# undef grub_malloc
# undef grub_zalloc
# undef grub_realloc
@@ -375,6 +377,30 @@ grub_memalign (grub_size_t align, grub_size_t size)
return 0;
}
+/*
+ * Allocate NMEMB instances of SIZE bytes and return the pointer, or error on
+ * integer overflow.
+ */
+void *
+grub_calloc (grub_size_t nmemb, grub_size_t size)
+{
+ void *ret;
+ grub_size_t sz = 0;
+
+ if (grub_mul (nmemb, size, &sz))
+ {
+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
+ return NULL;
+ }
+
+ ret = grub_memalign (0, sz);
+ if (!ret)
+ return NULL;
+
+ grub_memset (ret, 0, sz);
+ return ret;
+}
+
/* Allocate SIZE bytes and return the pointer. */
void *
grub_malloc (grub_size_t size)
@@ -562,6 +588,20 @@ grub_mm_dump (unsigned lineno)
}
void *
+grub_debug_calloc (const char *file, int line, grub_size_t nmemb, grub_size_t size)
+{
+ void *ptr;
+
+ if (grub_mm_debug)
+ grub_printf ("%s:%d: calloc (0x%" PRIxGRUB_SIZE ", 0x%" PRIxGRUB_SIZE ") = ",
+ file, line, size);
+ ptr = grub_calloc (nmemb, size);
+ if (grub_mm_debug)
+ grub_printf ("%p\n", ptr);
+ return ptr;
+}
+
+void *
grub_debug_malloc (const char *file, int line, grub_size_t size)
{
void *ptr;
diff --git a/grub-core/lib/libgcrypt_wrap/mem.c b/grub-core/lib/libgcrypt_wrap/mem.c
index beeb661a3..74c6eafe5 100644
--- a/grub-core/lib/libgcrypt_wrap/mem.c
+++ b/grub-core/lib/libgcrypt_wrap/mem.c
@@ -4,6 +4,7 @@
#include <grub/crypto.h>
#include <grub/dl.h>
#include <grub/env.h>
+#include <grub/safemath.h>
GRUB_MOD_LICENSE ("GPLv3+");
@@ -36,7 +37,10 @@ void *
gcry_xcalloc (size_t n, size_t m)
{
void *ret;
- ret = grub_zalloc (n * m);
+ size_t sz;
+ if (grub_mul (n, m, &sz))
+ grub_fatal ("gcry_xcalloc would overflow");
+ ret = grub_zalloc (sz);
if (!ret)
grub_fatal ("gcry_xcalloc failed");
return ret;
@@ -56,7 +60,10 @@ void *
gcry_xcalloc_secure (size_t n, size_t m)
{
void *ret;
- ret = grub_zalloc (n * m);
+ size_t sz;
+ if (grub_mul (n, m, &sz))
+ grub_fatal ("gcry_xcalloc would overflow");
+ ret = grub_zalloc (sz);
if (!ret)
grub_fatal ("gcry_xcalloc failed");
return ret;
diff --git a/grub-core/lib/posix_wrap/stdlib.h b/grub-core/lib/posix_wrap/stdlib.h
index 3b46f47ff..7a8d385e9 100644
--- a/grub-core/lib/posix_wrap/stdlib.h
+++ b/grub-core/lib/posix_wrap/stdlib.h
@@ -21,6 +21,7 @@
#include <grub/mm.h>
#include <grub/misc.h>
+#include <grub/safemath.h>
static inline void
free (void *ptr)
@@ -37,7 +38,12 @@ malloc (grub_size_t size)
static inline void *
calloc (grub_size_t size, grub_size_t nelem)
{
- return grub_zalloc (size * nelem);
+ grub_size_t sz;
+
+ if (grub_mul (size, nelem, &sz))
+ return NULL;
+
+ return grub_zalloc (sz);
}
static inline void *
diff --git a/include/grub/emu/misc.h b/include/grub/emu/misc.h
index ce464cfd0..ff9c48a64 100644
--- a/include/grub/emu/misc.h
+++ b/include/grub/emu/misc.h
@@ -47,6 +47,7 @@ grub_util_device_is_mapped (const char *dev);
#define GRUB_HOST_PRIuLONG_LONG "llu"
#define GRUB_HOST_PRIxLONG_LONG "llx"
+void * EXPORT_FUNC(xcalloc) (grub_size_t nmemb, grub_size_t size) WARN_UNUSED_RESULT;
void * EXPORT_FUNC(xmalloc) (grub_size_t size) WARN_UNUSED_RESULT;
void * EXPORT_FUNC(xrealloc) (void *ptr, grub_size_t size) WARN_UNUSED_RESULT;
char * EXPORT_FUNC(xstrdup) (const char *str) WARN_UNUSED_RESULT;
diff --git a/include/grub/mm.h b/include/grub/mm.h
index 28e2e53eb..9c38dd3ca 100644
--- a/include/grub/mm.h
+++ b/include/grub/mm.h
@@ -29,6 +29,7 @@
#endif
void grub_mm_init_region (void *addr, grub_size_t size);
+void *EXPORT_FUNC(grub_calloc) (grub_size_t nmemb, grub_size_t size);
void *EXPORT_FUNC(grub_malloc) (grub_size_t size);
void *EXPORT_FUNC(grub_zalloc) (grub_size_t size);
void EXPORT_FUNC(grub_free) (void *ptr);
@@ -48,6 +49,9 @@ extern int EXPORT_VAR(grub_mm_debug);
void grub_mm_dump_free (void);
void grub_mm_dump (unsigned lineno);
+#define grub_calloc(nmemb, size) \
+ grub_debug_calloc (GRUB_FILE, __LINE__, nmemb, size)
+
#define grub_malloc(size) \
grub_debug_malloc (GRUB_FILE, __LINE__, size)
@@ -63,6 +67,8 @@ void grub_mm_dump (unsigned lineno);
#define grub_free(ptr) \
grub_debug_free (GRUB_FILE, __LINE__, ptr)
+void *EXPORT_FUNC(grub_debug_calloc) (const char *file, int line,
+ grub_size_t nmemb, grub_size_t size);
void *EXPORT_FUNC(grub_debug_malloc) (const char *file, int line,
grub_size_t size);
void *EXPORT_FUNC(grub_debug_zalloc) (const char *file, int line,
--
2.11.0
next prev parent reply other threads:[~2020-07-29 17:01 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-29 17:00 [SECURITY PATCH 00/28] Multiple GRUB2 vulnerabilities - BootHole Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 01/28] yylex: Make lexer fatal errors actually be fatal Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 02/28] safemath: Add some arithmetic primitives that check for overflow Daniel Kiper
2020-07-29 17:00 ` Daniel Kiper [this message]
2020-07-29 17:00 ` [SECURITY PATCH 04/28] calloc: Use calloc() at most places Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 05/28] malloc: Use overflow checking primitives where we do complex allocations Daniel Kiper
2021-09-10 16:10 ` Glenn Washburn
2020-07-29 17:00 ` [SECURITY PATCH 06/28] iso9660: Don't leak memory on realloc() failures Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 07/28] font: Do not load more than one NAME section Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 08/28] gfxmenu: Fix double free in load_image() Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 09/28] xnu: Fix double free in grub_xnu_devprop_add_property() Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 10/28] json: Avoid a double-free when parsing fails Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 11/28] lzma: Make sure we don't dereference past array Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 12/28] term: Fix overflow on user inputs Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 13/28] udf: Fix memory leak Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 14/28] multiboot2: Fix memory leak if grub_create_loader_cmdline() fails Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 15/28] tftp: Do not use priority queue Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 16/28] relocator: Protect grub_relocator_alloc_chunk_addr() input args against integer underflow/overflow Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 17/28] relocator: Protect grub_relocator_alloc_chunk_align() max_addr against integer underflow Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 18/28] script: Remove unused fields from grub_script_function struct Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 19/28] script: Avoid a use-after-free when redefining a function during execution Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 20/28] relocator: Fix grub_relocator_alloc_chunk_align() top memory allocation Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 21/28] hfsplus: Fix two more overflows Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 22/28] lvm: Fix two more potential data-dependent alloc overflows Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 23/28] emu: Make grub_free(NULL) safe Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 24/28] efi: Fix some malformed device path arithmetic errors Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 25/28] efi/chainloader: Propagate errors from copy_file_path() Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 26/28] efi: Fix use-after-free in halt/reboot path Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 27/28] loader/linux: Avoid overflow on initrd size calculation Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 28/28] linux: Fix integer overflows in initrd size handling Daniel Kiper
2020-07-29 20:12 ` [SECURITY PATCH 00/28] Multiple GRUB2 vulnerabilities - BootHole Christian Hesse
2020-07-29 20:20 ` John Paul Adrian Glaubitz
2020-07-29 21:20 ` Dimitri John Ledkov
2020-07-29 21:33 ` John Paul Adrian Glaubitz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200729170041.14082-4-daniel.kiper@oracle.com \
--to=daniel.kiper@oracle.com \
--cc=93sam@debian.org \
--cc=alexander.burmashev@oracle.com \
--cc=amakhalov@vmware.com \
--cc=chris.coulson@canonical.com \
--cc=cjwatson@debian.org \
--cc=cperry@redhat.com \
--cc=darren.kenny@oracle.com \
--cc=darren.moffat@oracle.com \
--cc=dave.miner@oracle.com \
--cc=degranit@microsoft.com \
--cc=eric.snowberg@oracle.com \
--cc=grub-devel@gnu.org \
--cc=ilya.okomin@oracle.com \
--cc=jan.setjeeilers@oracle.com \
--cc=jerecox@microsoft.com \
--cc=jesse@eclypsium.com \
--cc=john.haxby@oracle.com \
--cc=kanth.ghatraju@oracle.com \
--cc=konrad.wilk@oracle.com \
--cc=mbenatto@redhat.com \
--cc=mickey@eclypsium.com \
--cc=msrc57813grub@microsoft.com \
--cc=phcoder@gmail.com \
--cc=pjones@redhat.com \
--cc=sajacobu@microsoft.com \
--cc=todd.vierling@oracle.com \
--cc=xnox@ubuntu.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.