From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from list by lists.gnu.org with archive (Exim 4.90_1)
	id 1kFJ3a-0003GE-1d
	for mharc-grub-devel@gnu.org; Mon, 07 Sep 2020 11:27:46 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:60050)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ps@pks.im>) id 1kFJ3X-0003E4-Ck
 for grub-devel@gnu.org; Mon, 07 Sep 2020 11:27:43 -0400
Received: from wout2-smtp.messagingengine.com ([64.147.123.25]:47795)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ps@pks.im>) id 1kFJ3U-0007CX-S9
 for grub-devel@gnu.org; Mon, 07 Sep 2020 11:27:42 -0400
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43])
 by mailout.west.internal (Postfix) with ESMTP id 86559B40;
 Mon,  7 Sep 2020 11:27:39 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162])
 by compute3.internal (MEProxy); Mon, 07 Sep 2020 11:27:39 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pks.im; h=date
 :from:to:cc:subject:message-id:references:mime-version
 :content-type:in-reply-to; s=fm2; bh=HJ+cxVCC93Ih1P4nfnnkBsL/VTe
 rwpRDVKwY0cWoX0c=; b=oITOYHQlXR9VlYWCunGFY2hnOwxnPhBdrDmhW5zYEqM
 +7Cwr6chsta1348DDyCB3LNomvOFBPHoIQmCo/9Yygn2MVoV7+RwlzfEBIbszPXb
 vo6BTZXc459MByRmqXq0En3rJ7jgYjX+ei+Zrj6LkeEJTwU69l+nYIlfXE+33QCU
 nMr9W92vDmQia4tdE/06ashv7wUjBpL0Pn0l6xSTf0Wk/mZ6ZsNQIaT6ht3z8RYe
 P43qfZ5c8XmBvQXCn8pKx2beIr1IH880SYZPgEon1Q63tQo+k2YYZXjERSMSSnev
 4dMudc5DFllKrWIpGNL1SLcBfe3r6REU86xIqv+D2dg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-proxy
 :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=HJ+cxV
 CC93Ih1P4nfnnkBsL/VTerwpRDVKwY0cWoX0c=; b=Daa1DjzWaBK5LFvp3e17bE
 uNTMdsQQWxMtN+9wTuIDZ3x2qtsraOxuPiGsIsXmgyAej41u8gjtDjjgLyR+VVWw
 TzacyfAd7YrpEaDbaBJsxk307ts1J0iIA3Ur9VnApTmWTMvhqIj3tIVj5M/beDn/
 vI1dYPqFH1+tOxisk0SZ80GdA3okd6UXPNuu/vTdSiY23HDgaeeSjTyS6dLXXKjw
 LzDbs12zwpOK/G4LavxHRisfVsv4W3VlVjOaxSkemXfDNNRBVLtLJYYHD4uHyv4G
 RADvH8vkXtEj0+KW4XFV9YUghUe5evWEfvkLxMEuaQbhce4PmH+FPMpl10PBvOkA
 ==
X-ME-Sender: <xms:a1FWX9RH34RAmMxq8rksGOFJsuUoRKNjK35qGGYt37EG2QVen9mhAQ>
 <xme:a1FWX2wpAIU0KU9nBBgfZt60moxCktaT6r8cXUMqdKRosNMcq2VAECTQK_KKYn02g
 r6o2aSnV0JEGVwDkQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduiedrudehtddgledtucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
 uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne
 cujfgurhepfffhvffukfhfgggtuggjsehgtderredttddvnecuhfhrohhmpefrrghtrhhi
 tghkucfuthgvihhnhhgrrhguthcuoehpshesphhkshdrihhmqeenucggtffrrghtthgvrh
 hnpeehgefhtdefueffheekgfffudelffejtdfhvdejkedthfehvdelgfetgfdvtedthfen
 ucfkphepkeelrddugedrfeekrddufeegnecuvehluhhsthgvrhfuihiivgepvdenucfrrg
 hrrghmpehmrghilhhfrhhomhepphhssehpkhhsrdhimh
X-ME-Proxy: <xmx:a1FWXy0DOZWO2YaJFLtyOT-DI-CCWNNjAxTX-RkTEVh2cGfXudqp1w>
 <xmx:a1FWX1A0gPqeU6kt5EJ6ukpr4pCi91sSBD6nRizJ-F33TAh69Q_I0Q>
 <xmx:a1FWX2jqma2FAsxXGP0-mmoqLyGSS2OYpf6rIKrPKY9_lzYPuChemQ>
 <xmx:a1FWX6Z560XVFio2Nj0jnFJ85KOdF2DzlyxkT-OvH7e58VlNpORqTw>
Received: from vm-mail.pks.im (x590e2686.dyn.telefonica.de [89.14.38.134])
 by mail.messagingengine.com (Postfix) with ESMTPA id 5D9E5328005D;
 Mon,  7 Sep 2020 11:27:38 -0400 (EDT)
Received: from localhost (tanuki [10.192.0.23])
 by vm-mail.pks.im (OpenSMTPD) with ESMTPSA id 3e951b27
 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); 
 Mon, 7 Sep 2020 15:27:38 +0000 (UTC)
Date: Mon, 7 Sep 2020 17:27:36 +0200
From: Patrick Steinhardt <ps@pks.im>
To: grub-devel@gnu.org
Cc: Denis GNUtoo Carikli <GNUtoo@cyberdimension.org>,
 Glenn Washburn <development@efficientek.com>,
 Daniel Kiper <daniel.kiper@oracle.com>
Subject: [PATCH v3 2/9] luks: Fix out-of-bounds copy of UUID
Message-ID: <5ecb9a4eb54870516fc9087785ace3af13357825.1599492346.git.ps@pks.im>
References: <cover.1598179677.git.ps@pks.im> <cover.1599492346.git.ps@pks.im>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature"; boundary="lrZ03NoBR/3+SXJZ"
Content-Disposition: inline
In-Reply-To: <cover.1599492346.git.ps@pks.im>
Received-SPF: pass client-ip=64.147.123.25; envelope-from=ps@pks.im;
 helo=wout2-smtp.messagingengine.com
X-detected-operating-system: by eggs.gnu.org: First seen = 2020/09/07 11:26:12
X-ACL-Warn: Detected OS   = Linux 2.2.x-3.x [generic] [fuzzy]
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: grub-devel@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: The development of GNU GRUB <grub-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/grub-devel>,
 <mailto:grub-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/grub-devel>
List-Post: <mailto:grub-devel@gnu.org>
List-Help: <mailto:grub-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/grub-devel>,
 <mailto:grub-devel-request@gnu.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Sep 2020 15:27:43 -0000


--lrZ03NoBR/3+SXJZ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

When configuring a LUKS disk, we copy over the UUID from the LUKS header
into the new `grub_cryptodisk_t` structure via `grub_memcpy ()`. As size
we mistakenly use the size of the `grub_cryptodisk_t` UUID field, which
is guaranteed to be strictly bigger than the LUKS UUID field we're
copying. As a result, the copy always goes out-of-bounds and copies some
garbage from other surrounding fields. During runtime, this isn't
noticed due to the fact that we always NUL-terminate the UUID and thus
never hit the trailing garbage.

Fix the issue by using the size of the local stripped UUID field.

Signed-off-by: Patrick Steinhardt <ps@pks.im>
---
 grub-core/disk/luks.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
index 6ae162601..59702067a 100644
--- a/grub-core/disk/luks.c
+++ b/grub-core/disk/luks.c
@@ -95,6 +95,7 @@ configure_ciphers (grub_disk_t disk, const char *check_uu=
id,
       || grub_be_to_cpu16 (header.version) !=3D 1)
     return NULL;
=20
+  grub_memset (uuid, 0, sizeof (uuid));
   optr =3D uuid;
   for (iptr =3D header.uuid; iptr < &header.uuid[ARRAY_SIZE (header.uuid)];
        iptr++)
@@ -125,7 +126,7 @@ configure_ciphers (grub_disk_t disk, const char *check_=
uuid,
   newdev->source_disk =3D NULL;
   newdev->log_sector_size =3D 9;
   newdev->total_length =3D grub_disk_get_size (disk) - newdev->offset;
-  grub_memcpy (newdev->uuid, uuid, sizeof (newdev->uuid));
+  grub_memcpy (newdev->uuid, uuid, sizeof (uuid));
   newdev->modname =3D "luks";
=20
   /* Configure the hash used for the AF splitter and HMAC.  */
--=20
2.28.0


--lrZ03NoBR/3+SXJZ
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEF9hrgiFbCdvenl/rVbJhu7ckPpQFAl9WUWgACgkQVbJhu7ck
PpRX9A/7Byk08f47Zz+yq2+JXQY2BvhcN3MsdGLLo26WEGx5RsjjE1BzGgUyv8+e
Rp6QiDlKsrstW5n3PEVyKNW5iu5Xg7j7s+XzYCiLM9o3C6GMwgKc6iCIi8wcEmzh
OT5phgAWubT8LRTcWwOMZkXsxhmE7ZF250IJ7XmviTienB+6ml9zIh1j5lwsUY5G
8j1KJekvuzqisJqPioURn1rWl5Jq8DfIYzujle2EpagMGjqWdxUSUVIIprdB7qH3
Y32+G/omFk5R8pUzSKnIIj4Z9nNGhwQpRAOCYmSsawBJ3RqUJbMix7xNAABsuChn
l0+p9rlpuoxpc5+wysd5InbnzrXYKnwCOXhi5ljcIeUazfAmz+0dCoZP4u1R7HEW
xNZjkqqOLu1ozX8CC/CUlPlgtE1xnrX/li25TnSD8eahHdfKf0+njnuRDvxJKDWv
NrrZ9oZYpa27FsjSZls0o9NN82UH2Xf4/xoW9Zvdiy3lMUq7/BCJgughqJt86+7+
xfmySeJEPFWaj4wQQ/PUteh0PuEngYddokyr5g98TRLiRnPr7EFIJWH47d7h165J
HBLhX4oFQ7ukzf8J6Wy/+m2EKKmVuEjTaOqiea1yrhhExf7WjdZTnMUihXEJkg+W
qAHqZyu0nTnAAvV0J35EFpAJcEQeaC4qMUNWcdr980pqKR+Q4eI=
=K4fd
-----END PGP SIGNATURE-----

--lrZ03NoBR/3+SXJZ--