From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from list by lists.gnu.org with archive (Exim 4.90_1)
	id 1kAqWv-0006Mw-KB
	for mharc-grub-devel@gnu.org; Wed, 26 Aug 2020 04:11:37 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:60906)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ps@pks.im>) id 1kAqWu-0006KB-Ld
 for grub-devel@gnu.org; Wed, 26 Aug 2020 04:11:36 -0400
Received: from wout1-smtp.messagingengine.com ([64.147.123.24]:47963)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ps@pks.im>) id 1kAqWs-0005Na-Qa
 for grub-devel@gnu.org; Wed, 26 Aug 2020 04:11:36 -0400
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43])
 by mailout.west.internal (Postfix) with ESMTP id 1AD08CAB;
 Wed, 26 Aug 2020 04:11:33 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162])
 by compute3.internal (MEProxy); Wed, 26 Aug 2020 04:11:33 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pks.im; h=date
 :from:to:cc:subject:message-id:references:mime-version
 :content-type:in-reply-to; s=fm1; bh=E1kzAGKPPrLKLixvzkMlPT8qucG
 qQnYAZyFO6YwxAu8=; b=REV2jlOqnno6+Bfv8+rrql5Sd6OWRUl+S+BMqcK9fKT
 0JmwKYSiiB4Smo2aE8zeQgd6Qwg101YOiwn16lLA3H/vYhkcVKyGD4RQr6yJgoss
 dlAdK1nYPTCFh2NEVL6KzXhLfSRCTk3pBXURVS/9x1hQUEhdfu1VUEq2G+aj6TD5
 PKDl+o24HcT9L5RumKyB2PR7kK7gjsVYK8qY7qe52DJyWhGmugQMvfKoGzJOzJbK
 HWUfMR8txKZNTc8c3pKM5wMmNpL1Wk7ImAWCxW9tkVKUXQbdb+Dwogd4oq8iXcqz
 edXLs/3jClVcKxLOLPNABJjEbb9H3YgRQpXwNV9M5Vg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-proxy
 :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=E1kzAG
 KPPrLKLixvzkMlPT8qucGqQnYAZyFO6YwxAu8=; b=tYiPSdGDh1jcHlVflkMJDF
 hrIeGCjw7KSyiB3FSRSZkXI2L/BwY3Y5Vx9k4w3M40scUhFlepyNWc250wkiijuL
 hwile/dIK+qWGFNRcZQWSgLVZ0PizI0eKFrKmKpBmD44wSg1aqqAHjk6QMShF7Lv
 V+eGwRPkOq5Mr1tsLcfduGTUir2y9ptgXzH45kyVXygkfmgLYtHVR5IJDBXhA28d
 FxZYTEryxswDq6782IVMxlw2NXBGtvlyH5WubLVnjMcAl4bDNpfrDzEl7FKCcgRg
 lSu02hmBKQaIQw2g52Z1xrhoGaSRaxmCpHQmoUXpIjXnyIQ3x9UhbEXiDnCBmqmw
 ==
X-ME-Sender: <xms:NBlGX1v0FCh9IucWjd2J7uEC-Fola9ENx1puQZo0KqA79AaojzXHJQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduiedruddvvddgtdduucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
 uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne
 cujfgurhepfffhvffukfhfgggtuggjsehgtderredttddvnecuhfhrohhmpefrrghtrhhi
 tghkucfuthgvihhnhhgrrhguthcuoehpshesphhkshdrihhmqeenucggtffrrghtthgvrh
 hnpeehgefhtdefueffheekgfffudelffejtdfhvdejkedthfehvdelgfetgfdvtedthfen
 ucfkphepkeelrdduvddrfeekrddvfeeinecuvehluhhsthgvrhfuihiivgepvdenucfrrg
 hrrghmpehmrghilhhfrhhomhepphhssehpkhhsrdhimh
X-ME-Proxy: <xmx:NBlGX-foT1rxanowdxzf0OLjp-PEpQMcfV6TLmluzMiw0xX8gkMHtA>
 <xmx:NBlGX4wMmj2kcqUuWU_1ABKhUIK9ece-2AXLFN-ix27AqjYTmCylRw>
 <xmx:NBlGX8OL0N-Rs09c3R_ArDD442BnQIPGBj5IVFaOiWWWODZXzejtUg>
 <xmx:NBlGXyGvL4u5DWsI6vG5yS0r2VU0Eoa6DMWamHOlnGE6BGAhO77P0g>
Received: from vm-mail.pks.im (x590c26ec.dyn.telefonica.de [89.12.38.236])
 by mail.messagingengine.com (Postfix) with ESMTPA id 097F23280059;
 Wed, 26 Aug 2020 04:11:31 -0400 (EDT)
Received: from localhost (xps [10.192.0.12])
 by vm-mail.pks.im (OpenSMTPD) with ESMTPSA id 489e48dc
 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); 
 Wed, 26 Aug 2020 08:11:31 +0000 (UTC)
Date: Wed, 26 Aug 2020 10:13:29 +0200
From: Patrick Steinhardt <ps@pks.im>
To: grub-devel@gnu.org
Cc: Denis GNUtoo Carikli <GNUtoo@cyberdimension.org>,
 Glenn Washburn <development@efficientek.com>,
 Daniel Kiper <daniel.kiper@oracle.com>
Subject: [PATCH v2 2/9] luks: Fix out-of-bounds copy of UUID
Message-ID: <5ecb9a4eb54870516fc9087785ace3af13357825.1598429170.git.ps@pks.im>
References: <cover.1598179677.git.ps@pks.im> <cover.1598429170.git.ps@pks.im>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature"; boundary="7AUc2qLy4jB3hD7Z"
Content-Disposition: inline
In-Reply-To: <cover.1598429170.git.ps@pks.im>
Received-SPF: pass client-ip=64.147.123.24; envelope-from=ps@pks.im;
 helo=wout1-smtp.messagingengine.com
X-detected-operating-system: by eggs.gnu.org: First seen = 2020/08/26 03:16:08
X-ACL-Warn: Detected OS   = Linux 2.2.x-3.x [generic] [fuzzy]
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: grub-devel@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: The development of GNU GRUB <grub-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/grub-devel>,
 <mailto:grub-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/grub-devel>
List-Post: <mailto:grub-devel@gnu.org>
List-Help: <mailto:grub-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/grub-devel>,
 <mailto:grub-devel-request@gnu.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Aug 2020 08:11:37 -0000


--7AUc2qLy4jB3hD7Z
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

When configuring a LUKS disk, we copy over the UUID from the LUKS header
into the new `grub_cryptodisk_t` structure via `grub_memcpy ()`. As size
we mistakenly use the size of the `grub_cryptodisk_t` UUID field, which
is guaranteed to be strictly bigger than the LUKS UUID field we're
copying. As a result, the copy always goes out-of-bounds and copies some
garbage from other surrounding fields. During runtime, this isn't
noticed due to the fact that we always NUL-terminate the UUID and thus
never hit the trailing garbage.

Fix the issue by using the size of the local stripped UUID field.

Signed-off-by: Patrick Steinhardt <ps@pks.im>
---
 grub-core/disk/luks.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
index 6ae162601..59702067a 100644
--- a/grub-core/disk/luks.c
+++ b/grub-core/disk/luks.c
@@ -95,6 +95,7 @@ configure_ciphers (grub_disk_t disk, const char *check_uu=
id,
       || grub_be_to_cpu16 (header.version) !=3D 1)
     return NULL;
=20
+  grub_memset (uuid, 0, sizeof (uuid));
   optr =3D uuid;
   for (iptr =3D header.uuid; iptr < &header.uuid[ARRAY_SIZE (header.uuid)];
        iptr++)
@@ -125,7 +126,7 @@ configure_ciphers (grub_disk_t disk, const char *check_=
uuid,
   newdev->source_disk =3D NULL;
   newdev->log_sector_size =3D 9;
   newdev->total_length =3D grub_disk_get_size (disk) - newdev->offset;
-  grub_memcpy (newdev->uuid, uuid, sizeof (newdev->uuid));
+  grub_memcpy (newdev->uuid, uuid, sizeof (uuid));
   newdev->modname =3D "luks";
=20
   /* Configure the hash used for the AF splitter and HMAC.  */
--=20
2.28.0


--7AUc2qLy4jB3hD7Z
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEF9hrgiFbCdvenl/rVbJhu7ckPpQFAl9GGagACgkQVbJhu7ck
PpRlsg//SkL7fWRhoyqlpU7uh6FzzykZozAYaTygWJ1Pe4SHgoKLbniVIuO6w53n
AhKo9GRk9+0EUgM4hbTx2lrpfyOIprhDbv4tmEf5tPz7h3UMrCOLD8pMvj3ZR5dW
qbHdIpdw+vEOEFdBfOGv0OONeRx+7cv8q2Z8DhQb3kgQXpBAnU2+8O7hVaGxlN+q
65wVAWMGjF7nfoQGLNL6apHUDJT42r+420rrEioaYKz4g88soaOfs6JehrLw25db
FQ5WG8eyjQiay2mAR2SQkJwjtsYyfs1wVFunD17/smruvYLJol/TqZaG/TTwD9Rm
UZ+A0RNDCT14umdt5OdiBJ1v7qfp8GXgZuWLgFXTGZMT7cpEsEPVmVKRwE6RUZ7z
VmlSJabPDB1VHfOD2wsZWquz7H85/8l+60Qv4ZPaPh55TCIO7b3KDpNkLFcV3ynq
YvPgW8W7U022OSwCuXVg5R9IZTcrB5ZV6ORkT4phLPyxbd5pPXBhUztVKaN7o4cM
K9sJr5M18vt+SGXgQZYb+VPgEI7b2/RLg1g52ZhrOyqhmue1ZDCsGop8hFmaMkFG
v4XeO1f6tFeqka365O7WPpAruYzaKj59S7uaALLbT8QB4/foFMFwIHIjGv9jF20e
4cG6xRqi7HEocFcsuA2vcr/urQO+jlRh6Ga5DkX2YT3+iPLUKuE=
=N5BY
-----END PGP SIGNATURE-----

--7AUc2qLy4jB3hD7Z--